MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF document contains multiple embedded OLE objects, including a package object, and utilizes \objupdate to force activation. Crucially, it exploits CVE-2017-8759, a vulnerability in MSXML SAX, which allows for arbitrary code execution. The presence of a URL moniker related to a CHM file suggests a payload delivery mechanism.
Heuristics 9
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
URL Moniker in RTF OLE object high RTF_URL_MONIKER_RELATEDRTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Package object class high RTF_OBJCLASS_PACKAGEOLE Package object — can wrap arbitrary files
-
OLE object data medium RTF_OBJDATARTF contains 13 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://localhost/index0001.htm In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00009833.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9833 | 3173 bytes |
SHA-256: 8f422165c4169d85dff9e55f2700b3592791d62b617e6b5e17d006c8eb435da4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s).
|
|||
objdata_01_off0000b1a4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB1A4 | 469 bytes |
SHA-256: 7ee7c46ab31f4673defd22af1a3ff4bca0d7e3ddf66e276ce6953e54017fe004 |
|||
objdata_02_off0000b5f5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB5F5 | 12296 bytes |
SHA-256: c082d0576c55680f953cb9c3d4b3fec2dfe4cea718d39c8b619846046e9da2ee |
|||
objdata_03_off000116b0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x116B0 | 3714 bytes |
SHA-256: ae3dee7e6631e2b47aabe1f50a024b908e8275ab789ed04de3020e1526565032 |
|||
objdata_04_off00013469.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x13469 | 3714 bytes |
SHA-256: 810066bad51895e758df6b2d592b179737170037f9dae2246eb6f8b767847fc0 |
|||
objdata_05_off00015222.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x15222 | 3714 bytes |
SHA-256: df8219a7ca8e8fc6cf31220e6e38fc2b0879fa2ab272e9d78ac706e69afb5804 |
|||
objdata_06_off00016fdb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16FDB | 3714 bytes |
SHA-256: 04b3d726caa78588103810167c5eeab0376f008b1c3bf8b3f29af7f98d2b4bb3 |
|||
objdata_07_off00018d94.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18D94 | 3714 bytes |
SHA-256: eb48bf4c6a64d16b4753ac4219c79b60a92036a40d954633140e9f7d644b50a2 |
|||
objdata_08_off0001ab4d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AB4D | 3714 bytes |
SHA-256: 91d90907455ecaf9bfb0a42d109a351236db4f43675c70634ea8e1fd4f7772e5 |
|||
objdata_09_off0001c906.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1C906 | 3714 bytes |
SHA-256: 9d68ad2bf2aa8adc97fe8237eee10816b31c619dc83f7ea4cb9243edac02ecc0 |
|||
objdata_10_off0001e6bf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1E6BF | 3714 bytes |
SHA-256: 9be93655c952555130af6facf7bc947edef3d23a541fa6405a4a38da34edc7a0 |
|||
objdata_11_off00020478.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x20478 | 3714 bytes |
SHA-256: 515a643d6f1186dd0049d7032046f304efd1b6be8c53c19b868c14407442c6a2 |
|||
objdata_12_off00022231.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x22231 | 3714 bytes |
SHA-256: 7823c2377fbec340ceee99e3070e4fe78dac4f8ec8befb20bd018ade4b759f68 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.