MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003d34.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D34 | 35899 bytes |
SHA-256: 06bd7d0cdda0c469f444745ba6fdbc56c363edb3724d9d03bc50f5888ddc1fc2 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001ae65.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AE65 | 35899 bytes |
SHA-256: 2a569a5056e11c5a70ab8a066d0d667e693d09c90f5d4c7d44037865f473dfb6 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00031f96.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31F96 | 35899 bytes |
SHA-256: 4197a913864768aa63024dc555dd25b6314e2df640d1f73946dc68c86c019816 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000490c7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x490C7 | 35899 bytes |
SHA-256: eac97b468daef4fcd3587371d15f83f70706270180d44e12ac128f97378c88f6 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000601f8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x601F8 | 35899 bytes |
SHA-256: 92a8fda459f1201e203a8b2b2a748b693f4ffe1a5945b536fae270a6c96edd43 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0007e7e2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7E7E2 | 35899 bytes |
SHA-256: 9c076a967dbaff70abc49f977ab24c2610959b5501ea89ca3be00a08c3095d90 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0009582c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9582C | 35899 bytes |
SHA-256: 6d703d4737bae33a559fe4328f28b0ce4a87baa9155fa8e9a3cbc5d26e5f1ec9 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000ac97d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAC97D | 35899 bytes |
SHA-256: 2e28228fd507213c7e9e7a956be61c36473c0d91fed136fba122d682ac49fb14 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000c3ace.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC3ACE | 35899 bytes |
SHA-256: 6cbadfce9960f58de4f7fd133dede78170308eb9048dcf21d56ca509a5ffa5fa |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000dac1f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xDAC1F | 35899 bytes |
SHA-256: 4e4716ad67e6a4dd9ac27b05c46be97191233b91336c4599d4ccfd6df0bcec57 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.