MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and uses \objupdate to force their activation. Critical heuristics indicate exploitation of CVE-2017-8759, a known vulnerability in MSXML that allows for OLE object activation. This suggests the file is designed to execute arbitrary code by leveraging this vulnerability, likely to download and run a secondary malicious payload. The ClamAV detection name further supports the malicious classification.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 12 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft In RTF body
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c85.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C85 | 24123 bytes |
SHA-256: 67a20a18141748c4e5ab6a77acd2187152c4876769cbf241071c32e4e5dc59c8 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_01_off000149c3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x149C3 | 24123 bytes |
SHA-256: dea66e4bf55b3e0a2e8348dbf7de414892c30c5c95277c8796fa1e0b6b9f2af8 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002604b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2604B | 24123 bytes |
SHA-256: 87bbf2080e6c2c89e7dee257f891c77d5c28041232e06c2fcb814933fe942997 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000376d5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x376D5 | 24123 bytes |
SHA-256: c79744ab9710f2ae4057cac4c5456c1f523ca3be8cafaaea991d317b07d04e21 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00048d5f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x48D5F | 24123 bytes |
SHA-256: 00516f0acaa6c9beb0eb6dda1e1e1b8097d1a6ed361968f45473dc7be233af33 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0005a3e9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5A3E9 | 24123 bytes |
SHA-256: cdafa2c4c47fcd2899b3b83db6902448964cefedeec280a928054fbf80318fe2 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0006ba84.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6BA84 | 24123 bytes |
SHA-256: 6dd93dc3155e78f536f1273f95bc7905d9124a56345440030ec753af038c2b52 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0007d7c2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7D7C2 | 24123 bytes |
SHA-256: 4f419e19179337574ef6566f896689a5ec804e892eb8e8d0db6dd997c4912997 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0008ee4a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8EE4A | 24123 bytes |
SHA-256: b2bb4feecda8af51fc9498799436f432f7241eb563eeb76e26ea09c63d90a828 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000a04d4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA04D4 | 24123 bytes |
SHA-256: f065c1b2bb9ce19ef5e787b4a0929499b2afbfac96f7c3c81de3a8f32e1b7e8a |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000b1b5e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB1B5E | 24123 bytes |
SHA-256: 32fb0c58e63920a9a9bd8a6c73f149eb1041688ecfc66334fb39fdc49ddf62e7 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_11_off000c31e8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC31E8 | 24123 bytes |
SHA-256: 8080297c88e4a3332f867d024e933110d8604aa30c5d8649cb6b79a33e60dc84 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.