MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file exhibits multiple high-severity heuristics related to embedded OLE objects and their activation, strongly suggesting malicious intent. ClamAV detection confirms this, identifying the sample as 'Xls.Malware.Sload-7135989-0'. The presence of OLE objects and the activation triggers point towards an attempt to execute embedded malicious content, likely delivered via spearphishing.
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003c00.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C00 | 27195 bytes |
SHA-256: 81bf7a3d97389fe377e4f5dd06066b49176d55466bbeec883af2763d5590d3b8 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00016862.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16862 | 27195 bytes |
SHA-256: 72757efa8de3d3d8ad8172460b8fbbcdff52a7e234628e1a6806013f110ec416 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off000294c3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x294C3 | 27195 bytes |
SHA-256: b37f8e1c53d659c6601e41a2507e599fb8f8df8d8d02b43c02bc8421c0892e90 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003c124.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C124 | 27195 bytes |
SHA-256: 790da8809b35396f532d734f7d31ae3066ba17f2fede6360a82ee88c0dbe1e52 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0004ed85.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4ED85 | 27195 bytes |
SHA-256: 000d5e27d6fe045e3ceb1a75211c532972bea3e81684c09cb0d663c7f64f5244 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000627de.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x627DE | 27195 bytes |
SHA-256: 206b3bbd8f8084d0acb6a8b5c45b76b47c52af28ed3ee713812ad54f9713f236 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00075460.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x75460 | 27195 bytes |
SHA-256: 263d57f5fdeb886d734a51faee2f04083c6446f4d51cea61f15a09246f12c3e0 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000880e4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x880E4 | 27195 bytes |
SHA-256: f52a9d7d69de7791d6766316a467de9b10d4262e9109881dd692e2f9d27f1a53 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0009ad68.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9AD68 | 27195 bytes |
SHA-256: 973e78fbc6d6c1fdd11522fac853c85df6e05d52dccaae854443ba6b920a33f7 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000ad9ec.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAD9EC | 27195 bytes |
SHA-256: faa9ef9f329ea2f4ca3573565a3a525caca54f9dd497e65928dc1bf904cccbe7 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.