MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains numerous OLE objects and excessive hex-encoded data, strongly suggesting it hides a payload. Critical heuristics indicate exploitation of CVE-2017-8759 for OLE activation, a known vulnerability used to execute arbitrary code. ClamAV detection as 'Xls.Downloader.Generic-6750544-0' further confirms its malicious nature as a downloader.
Heuristics 7
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1049KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 17 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
- http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body
Extracted artifacts 11
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c44.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C44 | 28731 bytes |
SHA-256: 5bb95fcf50b3e67713e530c734533e43782f9fd87d2d22a8ae76c2ee11b7fc2b |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00016c84.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16C84 | 28731 bytes |
SHA-256: 0caae0b80507f3f1f0f29559a2b99876eb0a7363fdb5ae3eb238184c3a5fc215 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002acc4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2ACC4 | 28731 bytes |
SHA-256: d2ae796d279f4a11ba3b3b859f5c90e2422e30a1e3b94ed88a5360134b2c8e95 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003ed04.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3ED04 | 28731 bytes |
SHA-256: 133c2661f72a7775168af1ccc0128f095693a9db09d36e2985456a60739cf306 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00052d44.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x52D44 | 28731 bytes |
SHA-256: dae4d06113e488ab9e6662f2c9bbfaf1aa494860c9b757092b0aa3c04dc48f5c |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00066d84.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x66D84 | 28731 bytes |
SHA-256: ca14b4c286ee424d1e4aefee900ce1f6e785740677383c63f7eaf5a331a3e0bd |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0007adc4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7ADC4 | 424684 bytes |
SHA-256: ed9d199fab24973cb1b877d503923a2856a544f106cf6cc841acffad7759bde0 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_13_off00101349.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x101349 | 28731 bytes |
SHA-256: 57445bb0b0acd9a6e00990859d24d6f746cf4648367acb88448846e0f33d8fd2 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_14_off00115389.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x115389 | 28731 bytes |
SHA-256: b8803864058cb191893ad765af2800588115eef1838b98d6aa5715a59a1951b8 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_15_off001293c9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1293C9 | 28731 bytes |
SHA-256: 15900a78394cf9e647997c563e1af8303b6653ddb85bd6aab3eb7efabb55ff65 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_16_off0013d409.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x13D409 | 28731 bytes |
SHA-256: 4e6056bed46e25b262e6c8f831ba61882eb7f18da84612b89fd2082ad74edca3 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.