MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1027 Obfuscated Files or Information
The RTF file exhibits multiple high-severity heuristics related to embedded OLE objects and excessive hex-encoded data, strongly indicating a malicious intent to hide and execute a payload. ClamAV detection confirms this, identifying the file as Xls.Malware.Sload-7135989-0. The presence of ".objupdate" forces OLE activation, likely triggering the embedded malicious content.
Heuristics 7
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1027KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 15 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 15
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003c9b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C9B | 24635 bytes |
SHA-256: d92825d9c65e7a9308658f93cd30b8ac4d2c0beffe8f322020fa446ef92ea213 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off000154e4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x154E4 | 24635 bytes |
SHA-256: b7ce3540b1c654776b61019800c39085ab9e5d1ce797430d7a36dd1f0db98d35 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00026d2d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x26D2D | 24635 bytes |
SHA-256: 53c5170a1f9d5da54a5b4512271e98cc4867248432b583c8b3e230daf72f3a42 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00038576.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x38576 | 24635 bytes |
SHA-256: e6b6a3bc898317b3df25f8506416366e83ef8af6abae40ee2ec3f45dd0ba591d |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00049dbf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49DBF | 24635 bytes |
SHA-256: e5e5674d1b47c4cfc3847825c9a0e8674544a28ad3ff45c1cc59635e34be60ad |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0005c418.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5C418 | 24635 bytes |
SHA-256: 035dcc81fb5b1aa4c98de470e5f23cea6da2099d9ea8f195ee6c736ea86b0729 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0006db71.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6DB71 | 24635 bytes |
SHA-256: f4eca59d80dfb58ca01d9452530bd1570d8c504a777fcdfc9c3b09b8b7e1fe7c |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0007f3da.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7F3DA | 24635 bytes |
SHA-256: 55b92bb86375ba5d8e7c09785b3b118ddcb526fc9c2c18446824a17c9ecc811d |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00090c43.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x90C43 | 24635 bytes |
SHA-256: adea57addf1933a97a92b63f1974be5d9ad1cf9900d45243fe699e2044dbb52f |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000a24ac.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA24AC | 24635 bytes |
SHA-256: 7d03e75a4faac372bf4a770d8bb7ed0677845f28291abcce898d77af06fff2f6 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000b3d15.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB3D15 | 24635 bytes |
SHA-256: 2c8e1f073a11efca801066c771283feb63efef9236e1f475c2b3399e61491dd2 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_11_off000c5602.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC5602 | 24635 bytes |
SHA-256: b9dc1d79fefd88927076d383911f027031d13d944f60dcca8f940238ff417c39 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_12_off000d6e6b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD6E6B | 24635 bytes |
SHA-256: 71a95f897b3ee1af3876174956493587fe5ee7829bb9ad1b1c130ac2c440a52f |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_13_off000e86d4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE86D4 | 24635 bytes |
SHA-256: 758b91f02a28ec5ab506d026ff2e1ee63bb23e58e60994921923a2726351e86a |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_14_off000f9f3d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF9F3D | 24635 bytes |
SHA-256: cc23e9e45d8017ef85125205b8c5b296410e7e3203e0c238187227f7dd3074b5 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.