MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003d4c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D4C | 35899 bytes |
SHA-256: 5a2956ecd6937286c8e9145eb64e3c2aeb642babd68af6ee4db92bd2653ab6da |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001ae84.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AE84 | 35899 bytes |
SHA-256: 853bb0ac204bdb18f599ec6557f493e0b8bcc92de3ac46edace66f97b5d8acb3 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00031fbc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31FBC | 35899 bytes |
SHA-256: f5d8d747f83e6b73b38858e637d72ff115f07dba1cf73899e63b37bd786eff3b |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000490f4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x490F4 | 35899 bytes |
SHA-256: cf722ae2aef4098d17d3212a4af8e109046746c68e68390495ae889bef4baf95 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0006022c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6022C | 35899 bytes |
SHA-256: 2145f0c95145f020bf4e9b5e3c7f0f18f04d5371645500fdfaf988251f601ea6 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0007c17a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7C17A | 35899 bytes |
SHA-256: 18571dcea6821b3ae9b30a8eda240baf70f2ca2778b94d87fd635d8dfd34eead |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000931cb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x931CB | 35899 bytes |
SHA-256: 473d2da69b64161726946f2bb263261ec9f0fdecad17d55eaf36b126ab3f8eae |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000aa323.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAA323 | 35899 bytes |
SHA-256: f33d443ab38bc71061a0c7f43337e1916958b635ff23fdcdfafb52173f21c765 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000c147b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC147B | 35899 bytes |
SHA-256: 2fbafa06ca4d9225454460a4f77f7111d3b967d0079cb51d33960d09b8dc193e |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d85d3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD85D3 | 35899 bytes |
SHA-256: c7b3e1a6b274536ffd7f44d1e23f2d2abb9e6c3bec6948e9d7cc14b93038fed2 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.