MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003d05.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D05 | 35899 bytes |
SHA-256: a47d79e5b2ada37997d98ee65c6c159c7240a4aef13e91c4c565fa6477df0ee2 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001adfb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1ADFB | 35899 bytes |
SHA-256: 5c7c53fe011429475fe7317f2a57f8d2104d10219bcd7503089c37a9f312350f |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00031ef1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31EF1 | 35899 bytes |
SHA-256: 026ea12365512f4ff7be16eb64fc9966d422bdb797f4f3ea6af53bac9c66ad21 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00048fe7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x48FE7 | 35899 bytes |
SHA-256: 7478f57bfa1ec4f680d6a551f89204309287408b323f7643758c1a13a8a40e4f |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000600dd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x600DD | 35899 bytes |
SHA-256: eb5032f78ede21af6efcbbf08a0eee9ac7b1286754f4e43f646e83c0bcd48779 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00077fe3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77FE3 | 35899 bytes |
SHA-256: cbe5cc7ef10f0bc2eeb8018b6aa03603c3763e93e66831293d2e19c509e3aae9 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0008f0f7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F0F7 | 35899 bytes |
SHA-256: 12c0bea1f4923c06ad2037e80d30bb20aceb281a83cb0cd2eefc7a6cbb9d5db4 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000a620d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA620D | 35899 bytes |
SHA-256: 4e5b345ec199ad52d103c5786cccb3eb05620f36298d1ba563f6308ec3ff7dbc |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000bd323.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBD323 | 35899 bytes |
SHA-256: 744abc8372ed6ce26dd32b9851c80dd5b7d4c21a4da141f6ccd4a4d578fd6bf7 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d4439.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD4439 | 35899 bytes |
SHA-256: aa234d967386db8224314802ec4e244c7aabcd5a545812deca13595db9746d05 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.