MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains numerous OLE objects and uses \objupdate to force OLE activation, strongly indicating exploitation of CVE-2017-8759. This vulnerability allows for arbitrary code execution when a vulnerable MSXML version processes the embedded OLE object, likely leading to the download and execution of a secondary payload. The presence of large hex data blocks within the OLE object further suggests the hiding of malicious content.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1010KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 15 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 15
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002b09.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2B09 | 32321 bytes |
SHA-256: a1b3a5365c74c46776bcdc579574ccdf110533f419d0f79c6f857c49607273ad |
|||
objdata_01_off000181fd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x181FD | 32321 bytes |
SHA-256: 8dac66aa1cecd84c6d153b7795a7a662480b71cc0d4de9ef7b5d8cd808a4aeee |
|||
objdata_02_off0002d8f1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2D8F1 | 32321 bytes |
SHA-256: aa0e86e47dc65893414a4c28089b974e873999949f8e0739e83773c2bea22189 |
|||
objdata_03_off00042fe5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x42FE5 | 32321 bytes |
SHA-256: 6652d2b48b097ccc6ee019136bb5ecdab66419b8eb11b9c8687ae7b6471cd5f5 |
|||
objdata_04_off000586d9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x586D9 | 32321 bytes |
SHA-256: eb278c2ea205be3ed676564156a5db41920492c68588363caa7aba45a5b87db8 |
|||
objdata_05_off0006ddcd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6DDCD | 32321 bytes |
SHA-256: 2ab4d8c5df343769a6a1c6b4f5a80384cfc7eae2327149405201fdc8eb3b4feb |
|||
objdata_06_off000834c1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x834C1 | 32321 bytes |
SHA-256: d4b1576783ab40abac9d4493b02b9b390c3e30925ed0e4d6e6a67833086ff12f |
|||
objdata_07_off00098bb5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x98BB5 | 32321 bytes |
SHA-256: 53c93340dc2ade437b7e348e55430ec256f52a6774302d766618c54782c4251d |
|||
objdata_08_off000ae2a9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAE2A9 | 32321 bytes |
SHA-256: 9aaad56962f89386ca64fa909bcc0af963f001093c569340cadcfa59153def2a |
|||
objdata_09_off000c399d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC399D | 32321 bytes |
SHA-256: 6aa92fe117281acb7b858398534eedea574d1403f43c68e58ce597b3e30032b4 |
|||
objdata_10_off000d9091.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD9091 | 32321 bytes |
SHA-256: 2c2430c34407ed059a6da8d2a8bc828870eccb73e4176a8b7591efe3667103bc |
|||
objdata_11_off000ee785.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xEE785 | 32321 bytes |
SHA-256: cb9c6e9892197a00cf6238de182252e92e19ede037440cd0d2e20c7efb762238 |
|||
objdata_12_off00103e79.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x103E79 | 32321 bytes |
SHA-256: 08adf10916bb7c3952c7af6bb116815ecae3f1c9cc03c7036dc936f25eaf0441 |
|||
objdata_13_off0011956d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x11956D | 32321 bytes |
SHA-256: c6e25a82b9e44ade6f2b4fe551ca93a76ced613fd49cf142c3eeceb30b068105 |
|||
objdata_14_off0012ec61.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12EC61 | 32321 bytes |
SHA-256: 12876e388ae7a4f710b8ca0f84f577b710637e5bbe4fb7a6c0dcb066a9ae8ca0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.