MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. Crucially, the CVE-2017-8759 exploit is detected, which targets MSXML SAX OLE activation. This suggests the file is designed to exploit this vulnerability to execute arbitrary code, likely by downloading and running a second-stage payload.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 12 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c47.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C47 | 27707 bytes |
SHA-256: b577163e569d14fa19a30ac2eece4a0b18230526427de3755f6be5d1aa9c9277 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00016478.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16478 | 27707 bytes |
SHA-256: cbd194ca516713280fd6c9dc56688ede6f269aeddf7673dd8ae5b099ac658a4d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00029ca9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x29CA9 | 27707 bytes |
SHA-256: 9b58078ebfc89dcdab52e04a2e37b3f3e7d490ae2d50c3e6b852f2e282f652ce |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003d4da.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D4DA | 27707 bytes |
SHA-256: 88672be44c3af849b66f4341a1b1de113bda626b0a23e1ff181f2079a64fc871 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00050d55.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x50D55 | 27707 bytes |
SHA-256: 3e87b535dfe327c2b9d1489e811c5c0405cdd4556970c48336994a9626e93578 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00064586.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x64586 | 27707 bytes |
SHA-256: d5fce286f8e8dbdd840a3138ba210e9a1dcb83530663400409612740a06d8c92 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00077db7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77DB7 | 27707 bytes |
SHA-256: 3fcdc103bee10eb953b9d3f44f9678e051c5024a01ddd9725c48b841dc232aa9 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0008b5e8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8B5E8 | 27707 bytes |
SHA-256: 624190c8ff8adefc7ac1d1bdf577a5a70663dd3438b381d8d43bd30d69cffa16 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0009ef07.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9EF07 | 27707 bytes |
SHA-256: 8c919b077a7b0908684ca0dea31bb261470f25f28e3aa6eaa2a5193766245979 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b2736.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB2736 | 27707 bytes |
SHA-256: af3e93bd193268ea317e7c37a9740877e613f2e74134640352add0188d113ab3 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000c5f67.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC5F67 | 27707 bytes |
SHA-256: beda5bb140452897a24c4695026ba45267dc5f77d6041a35d482f1c051f0ba7b |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_11_off000d9798.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD9798 | 27707 bytes |
SHA-256: 0f4449b4c830ddd3d5ad90dd63b9beab8f68a19bd2ce9f172061f69a5fcd5178 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.