MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and triggers an exploit for CVE-2017-8759, which is known to facilitate arbitrary code execution. This indicates the file's primary purpose is to exploit this vulnerability to download and execute a secondary payload, likely delivered via a spearphishing attachment. The ClamAV detection further supports its malicious nature.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a8f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A8F | 28225 bytes |
SHA-256: 2ca755df5ef1df6d58538fb50b38d1ea6810d7cdae9b6d6bacf7bc2a976ed0da |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001610e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1610E | 28225 bytes |
SHA-256: a1e6895d8ee1efc3e9a89c1a691d99e48e5b766f0f6a72f889ad8c6e55b729b5 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002978f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2978F | 28225 bytes |
SHA-256: edeffbbf272b8a018dcf277ba11f1ba6bd6dae8390f3f6839a6ae62d72f3c382 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003ce10.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3CE10 | 28225 bytes |
SHA-256: 2f98b5410efaebce85849210c76a0fe0dabac30cb791a615c3f039b793965b4e |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00050491.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x50491 | 28225 bytes |
SHA-256: 1c85b31937a36d8d4292a5b622e889c264a35f8591f3c9daea6d2b7c74b9356e |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00063b12.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x63B12 | 28225 bytes |
SHA-256: 17d670b83f4af17dc6588614eb877d41dde5407978989707c91c322f02aa6104 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00077193.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77193 | 28225 bytes |
SHA-256: d63a30e6551e9c445475fcb7bc8e479e031d64d49f21a0bb2841e0652047c1e1 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0008a814.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8A814 | 28225 bytes |
SHA-256: 1c98ba8ff89c24b576e6f2aa4d1469a00e7e5316f1afde721072d69cefe16be8 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0009de95.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9DE95 | 28225 bytes |
SHA-256: 4fb7b78772d0bcb0721c8f726f431fc6ba94cf53980cab73beaf9cf4bf0ae8ea |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b1516.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB1516 | 28225 bytes |
SHA-256: a59c0d2fd2ae0709d54fda3563c6d8653c895fa7c82b5c77f62d1282d23307dd |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.