MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple OLE objects and triggers a critical heuristic for CVE-2017-8759, indicating exploitation of MSXML SAX OLE activation. ClamAV also identifies the file as a dropper, suggesting it's designed to download and execute a secondary payload. The presence of embedded OLE objects and the specific CVE exploit point towards a malicious document intended for initial compromise.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c10.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C10 | 33339 bytes |
SHA-256: 51f3a2a1b1bb77db5d81537d9a6b43899e664c437f2b5a0213df90a5e5cb11a6 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00018b2b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18B2B | 33339 bytes |
SHA-256: c3f4625699bc8d8d2dbc91a6b278792f929040527458015fd09a499577b3ff0c |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002ea46.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2EA46 | 33339 bytes |
SHA-256: bb13fd6d5e32d0767bd21b5c926d85603ba4654f40f8f80c20be73c952736fe6 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00044961.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x44961 | 33339 bytes |
SHA-256: cb0fd165d15239c8ffd9762d4eeeb2a618bc801e3ad9988ef540233147ce20c6 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0005a87c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5A87C | 33339 bytes |
SHA-256: c35f02ea1b9f789482be5e14d16d42cf8516d22d54dc8bbf72112b20ce395fca |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000707e3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x707E3 | 33339 bytes |
SHA-256: a5718872d64ca1899f96979b3d5d7cdf334371144ca9084e9f63cdefec185b91 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000866fe.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x866FE | 33339 bytes |
SHA-256: 73814a36e75f088073a47cb333aeb1872ed973f42b9dfe3be3c6e0c92d104481 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0009c619.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9C619 | 33339 bytes |
SHA-256: 8a8471688334b47c879038248f122e874f37e2c8c9eb3fe707759be0fa0d55df |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000b2534.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB2534 | 33339 bytes |
SHA-256: ada42804c46ebc24989e5af67d1f5492c84b93970a4db0dcc907c78d43804e5c |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000c844f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC844F | 33339 bytes |
SHA-256: 6f87fca5dbe72c512608bc34a0343f1145fd12336264b39c3b3cbfba114f38a1 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.