Xls.Malware.Sload-7135989-0 — RTF malware analysis

Static analysis result for SHA-256 a8b4d718f1f3b013…

MALICIOUS

RTF

789.5 KB Created: 2018-07-17 13:59:00 First seen: 2018-10-07
MD5: 3cafd575aa5bdb97dcf50fde2b0d3945 SHA-1: a7e7252926459273526216a15ed55791e9ae0c3a SHA-256: a8b4d718f1f3b01341977eb985a5c40638d33e050e3cb3c523baa5162576842e
242 Risk Score

Malware Insights

Xls.Malware.Sload-7135989-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file exhibits multiple high-severity heuristics related to embedded OLE objects and their activation, strongly suggesting malicious intent. ClamAV detection confirms this, identifying the sample as 'Xls.Malware.Sload-7135989-0'. The presence of OLE objects and the activation triggers point towards an attempt to execute embedded malicious content, likely delivered via spearphishing.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003c00.bin rtf-objdata-decoded RTF \objdata at offset 0x3C00 27195 bytes
SHA-256: 81bf7a3d97389fe377e4f5dd06066b49176d55466bbeec883af2763d5590d3b8
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_01_off00016862.bin rtf-objdata-decoded RTF \objdata at offset 0x16862 27195 bytes
SHA-256: 72757efa8de3d3d8ad8172460b8fbbcdff52a7e234628e1a6806013f110ec416
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_02_off000294c3.bin rtf-objdata-decoded RTF \objdata at offset 0x294C3 27195 bytes
SHA-256: b37f8e1c53d659c6601e41a2507e599fb8f8df8d8d02b43c02bc8421c0892e90
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_03_off0003c124.bin rtf-objdata-decoded RTF \objdata at offset 0x3C124 27195 bytes
SHA-256: 790da8809b35396f532d734f7d31ae3066ba17f2fede6360a82ee88c0dbe1e52
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_04_off0004ed85.bin rtf-objdata-decoded RTF \objdata at offset 0x4ED85 27195 bytes
SHA-256: 000d5e27d6fe045e3ceb1a75211c532972bea3e81684c09cb0d663c7f64f5244
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_05_off000627de.bin rtf-objdata-decoded RTF \objdata at offset 0x627DE 27195 bytes
SHA-256: 206b3bbd8f8084d0acb6a8b5c45b76b47c52af28ed3ee713812ad54f9713f236
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_06_off00075460.bin rtf-objdata-decoded RTF \objdata at offset 0x75460 27195 bytes
SHA-256: 263d57f5fdeb886d734a51faee2f04083c6446f4d51cea61f15a09246f12c3e0
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_07_off000880e4.bin rtf-objdata-decoded RTF \objdata at offset 0x880E4 27195 bytes
SHA-256: f52a9d7d69de7791d6766316a467de9b10d4262e9109881dd692e2f9d27f1a53
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_08_off0009ad68.bin rtf-objdata-decoded RTF \objdata at offset 0x9AD68 27195 bytes
SHA-256: 973e78fbc6d6c1fdd11522fac853c85df6e05d52dccaae854443ba6b920a33f7
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_09_off000ad9ec.bin rtf-objdata-decoded RTF \objdata at offset 0xAD9EC 27195 bytes
SHA-256: faa9ef9f329ea2f4ca3573565a3a525caca54f9dd497e65928dc1bf904cccbe7
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.