MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and uses \objupdate to force their activation. The critical heuristic firing for CVE-2017-8759 indicates exploitation of MSXML SAX OLE activation, a known vulnerability used to download and execute arbitrary code. The embedded URL, though incomplete, likely points to a malicious resource. The file's purpose is to exploit this vulnerability to achieve initial execution.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 12 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.mi In RTF body
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002cb7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2CB7 | 26683 bytes |
SHA-256: 25de41c6ae20e4e990c75e2197abc09816c09dd2bd9628b21f99451f1f9b5797 |
|||
objdata_01_off00015752.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x15752 | 26683 bytes |
SHA-256: 91d3c31e5e7e8cac6dcdb60d3bb1a5b8a4f31a0c36ebabcdb65d5c5e45253bba |
|||
objdata_02_off0002877d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2877D | 26683 bytes |
SHA-256: beaa9d47b66b2934f5552386f38cc55abbea8fab15e3381ba76155a525121810 |
|||
objdata_03_off0003b797.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3B797 | 26683 bytes |
SHA-256: 91fef9eac429fa523a6e98279f5454c6b8da0e083aa2706e9acb00b76ed656e7 |
|||
objdata_04_off0004e7b1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4E7B1 | 26683 bytes |
SHA-256: c5ffab9122ac4ccede77c604d6a0a29a55b23d94adee620e98807c983850f96e |
|||
objdata_05_off000617cb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x617CB | 26683 bytes |
SHA-256: f5c02a7ecaba45b70ae1df31e8b4909e3ee999dcea8f09fe9a7a827709b60561 |
|||
objdata_06_off0007482f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7482F | 26683 bytes |
SHA-256: 993237436eda898c76d9e8b0f155f9726af740f91459e3d9cb01f5382ef352f6 |
|||
objdata_07_off000872ca.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x872CA | 26683 bytes |
SHA-256: 64a034e72d1c04dbaed890f77f5ea35bce19559aa0125972b56bd35f32ce2dd6 |
|||
objdata_08_off0009a2f5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9A2F5 | 26683 bytes |
SHA-256: 1850bcbf950f06d8a4378ce2c5272124df6d05970532af59c46a8cb5ba6db238 |
|||
objdata_09_off000ad30f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAD30F | 26683 bytes |
SHA-256: 8418b422a3b5b84ddf78e8c81b624cd0ae745eceacabb7b59fdb6c35f919c639 |
|||
objdata_10_off000c0329.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC0329 | 26683 bytes |
SHA-256: d08c98924a9218b78e7f070edd9bf551ec301e49b479bd91426eb6784ec11d4b |
|||
objdata_11_off000d3343.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD3343 | 26683 bytes |
SHA-256: 113410b5ef4c6b073a51ad16755e3d760837df6bac1443852c4d908533f4c2e5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.