MALICIOUS
222
Risk Score
Heuristics 5
-
CVE-2017-11826 malformed Word ActiveX package critical CVE likely CVE_2017_11826_ACTIVEX_PACKAGERTF objdata decodes to a Word.Document.12 package with many null-CLSID ActiveX controls, repeated relationships to one oversized activeX1.bin CFB payload, and an extreme compression ratio. This is the submitted CVE-2017-11826 exploit carrier shape and avoids matching ordinary embedded ActiveX controls.
-
ClamAV: Doc.Dropper.Agent-6349423-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6349423-0
-
OLE object data medium RTF_OBJDATARTF contains 3 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In document body
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0003972d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3972D | 45 bytes |
SHA-256: 083c2e8b44386e792363878581e7e6cc02382e07194162f33517c429dfbcec43 |
|||
objdata_01_off00039807.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x39807 | 53297 bytes |
SHA-256: b990036fc6897a709f0e1e362d1d2deb67bf245985f7cbc125271ad1ce116388 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6349423-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off000538e9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x538E9 | 14385 bytes |
SHA-256: 5dc51ec81e3463c6839ab957f9d74072710c4a47473574d15ad1ef301d54b882 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.