MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF file contains multiple OLE objects with excessive hex-encoded data, indicative of a hidden payload. The critical CVE-2017-8759 heuristic firing suggests exploitation of MSXML SAX OLE activation. The embedded URL points to a potential second-stage executable, likely downloaded and executed by the exploited vulnerability.
Heuristics 8
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Xls.Malware.Valyria-6934880-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6934880-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1037KB of hex-encoded data inside \objdata sections — may hide a payload
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
- http://rsb18.rhostbh.com/~bakixeb2/bash/1.exeIn RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000028e8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28E8 | 55342 bytes |
SHA-256: fec1d98d08c21bad3ff4a8cd5611158b4079f19302b346ce2485c723911be58b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_01_off000234de.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x234DE | 55342 bytes |
SHA-256: 2147f19fd3f82edf2b86080f9dc588dd4ecda54c8d7b00b35bc1cf85e54ae682 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_02_off000440d4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x440D4 | 55342 bytes |
SHA-256: 7e4acec732c9379594f355a5ea12a253bc2b947e641914fc28647b2d1a500004 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_03_off00064cca.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x64CCA | 55342 bytes |
SHA-256: 9c36c7b039ca1ffa66b866c50e3c7ba77b3283c1f7d1af3946354f42cff334b5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_04_off000858c0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x858C0 | 55342 bytes |
SHA-256: 901682d86778b1c48ffdbc2f26eb12a5742dde0d9e3acc3fd7a988fa217dfbb2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_05_off000a64b6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA64B6 | 55342 bytes |
SHA-256: 40716aa94b842faedb05707287a2e59c288e46941de5454ef7208797a95679cb |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_06_off000c70ac.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC70AC | 55342 bytes |
SHA-256: 1f10bb6d7348d22316babee81e1156940c663f61023d33b15ca5b8659179474b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_07_off000e7ca2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE7CA2 | 55342 bytes |
SHA-256: 04d424e2a45fb7d22f54ae1177b95a228d1d799bbbf14f97b3b20f2431d408fe |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_08_off00108898.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x108898 | 55342 bytes |
SHA-256: bb4c397856876257f36e133adb7c05fa5c9a4b2450a83588e73d5f2372bb1948 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
objdata_09_off0012948e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12948E | 55342 bytes |
SHA-256: cd6c02e5be56b188c099212a916ffd7abb71233f5efb02828a843e86eb9d5393 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.