MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate. The critical heuristic firing for CVE-2017-8759 indicates exploitation of this vulnerability, which is commonly used to download and execute arbitrary code. The embedded URL is benign, but the exploitation technique strongly suggests a malicious intent to compromise the user's system.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c46.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C46 | 26683 bytes |
SHA-256: 99b282ce2bfe68ddf135c22a48b001c8caf4340008062059d83a44b0ca6f9290 |
|||
objdata_01_off00015c67.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x15C67 | 26683 bytes |
SHA-256: 834e6a5e023a325eae5b9030b79a7437f6a4ae28aa2731e7898a74480bc45fa2 |
|||
objdata_02_off00028c88.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28C88 | 26683 bytes |
SHA-256: e2a7c814d7efc07d0f1f3f0546357cb1078d48f66c8d56e6739c6d0a3e6a5570 |
|||
objdata_03_off0003bca9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3BCA9 | 26683 bytes |
SHA-256: 16b3a7cdf2a68fcdfebc5e97c4274c579a563373424cd3a1e801e0bf531c8e22 |
|||
objdata_04_off0004ecca.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4ECCA | 26683 bytes |
SHA-256: 1eac0d7a8a60918ff216dcf809deea7602edd072159f74ada6904cc9ec11d39d |
|||
objdata_05_off00061d35.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x61D35 | 26683 bytes |
SHA-256: d1bfa63fe265db5bb846e5676a671d8a7179adbc3bd7876b6bcb59cd8248f122 |
|||
objdata_06_off00074d56.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x74D56 | 26683 bytes |
SHA-256: f6b9c4ddc93f920ecd2c3e73f54f039f470d3f2470bd0556f49cba79724696fa |
|||
objdata_07_off00087d77.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x87D77 | 26683 bytes |
SHA-256: 90f4c7bf2e4b0e550ab8714a81708ca1693d0a24fd2044f8f19b9c1e301dcaf3 |
|||
objdata_08_off0009ad98.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9AD98 | 26683 bytes |
SHA-256: 2b83594e803b369bbe0b69f4857b613b61ebc8f67363e2b51d7104f6a632e054 |
|||
objdata_09_off000addb9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xADDB9 | 26683 bytes |
SHA-256: 2a94ca05b089c55aa337e03a5471ba05769d2f197e8a9c695363a226fc3379c2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.