MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 9 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003c51.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C51 | 24635 bytes |
SHA-256: ebe7aaa0738c4f56ca68e61482beb1af1eb087dae7696497ffa55a30fb296ab8 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001549e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1549E | 24635 bytes |
SHA-256: 58f40c834932ba1944dd4fbae49be04eba738580e36050f57d810108683776df |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00026ceb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x26CEB | 24635 bytes |
SHA-256: 4ce197c65413a83fa24ed2f6c00cb23e0a97a730549565507fdcfc46bbf3e884 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00038538.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x38538 | 24635 bytes |
SHA-256: e75c8c35b6a407158f9e6cb1c8d1ef2e2a36a922d4990700e827c3778c8230a8 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00049d85.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49D85 | 24635 bytes |
SHA-256: 1e9ee063d1a869cf08c5caa7cf9178dd5ac5a759cd631b7d54bfdf94df916fa9 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0005c3ee.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5C3EE | 24635 bytes |
SHA-256: 08e24eb7b874a03527bfe66a17ae922dfa7b5dab20112751c8740bb8f8ecb2b8 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0006dc5a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6DC5A | 24635 bytes |
SHA-256: 9d4439826717a0fd9e9fc8fa9516429b78c0e3fa0400e6564e935677d87784aa |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0007f4c8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7F4C8 | 24635 bytes |
SHA-256: 7a86b2ba91941f1898912baf63080be0bca530c2d555ebd6c0869aae31093b93 |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00090d36.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x90D36 | 14575 bytes |
SHA-256: 4b1344257c49bae8511f63b9463384ffc26ae121309861c78662dcea8f5c0a9b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.