MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple OLE objects and triggers the CVE-2017-8759 vulnerability, which is known for exploiting MSXML SAX OLE activation. This indicates the file's primary purpose is to execute arbitrary code, likely by downloading a second-stage payload. ClamAV detection further supports its malicious nature as a dropper.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c88.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C88 | 33339 bytes |
SHA-256: f55e7051dd2d2df1e0605be987a34fd4ae5e00bb61aa23d87807096624215f59 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00018ba0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18BA0 | 33339 bytes |
SHA-256: 6576c7262c2f44d1af4594b6b4d38d64193b11500426b118674d150cdaaccc5b |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002eab8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2EAB8 | 33339 bytes |
SHA-256: 44064ed7c4e2c1065ed64738a2ebbb760894234bb77d861500336760d0f08e32 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000449d0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x449D0 | 33339 bytes |
SHA-256: eaf58689be4600d2e394e1b116a43d9cc1598be5394eab367095dce60ca49603 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0005a8e8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5A8E8 | 33339 bytes |
SHA-256: ca98183b4992fe27737e88b12866ba132587660ae782328e47e85ca2c165b122 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0007084a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7084A | 33339 bytes |
SHA-256: d22070f7839ba9d71bd1608a33088ce0f48e00eb6e248bbe75b07f2e80538c58 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00086762.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x86762 | 33339 bytes |
SHA-256: 0c299934e888f9e5e5f768f90492b8b76715f10e689450fa2666b95f0715c173 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0009c67a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9C67A | 33339 bytes |
SHA-256: a4214d7627793906309ba018d415582655793274414eaf1517ed5c8217785e9a |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000b2592.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB2592 | 33339 bytes |
SHA-256: de64491583581274058e195144d6306c0f0c399c440d922373ce59caa42ea330 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000c84aa.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC84AA | 33339 bytes |
SHA-256: 4f2d782846716a9024580cfd2249f5641535ed267b54e829397e4f67482dec90 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.