MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003da2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3DA2 | 35899 bytes |
SHA-256: 40bbb8f12edbadcecac678e9bf76962e85bf768891e5d49a5102e7aea2890784 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001aed3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AED3 | 35899 bytes |
SHA-256: 35b342b69b6f9890ae95b75f70066bc84a41e572ccd503f1efbe83264675ef7e |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00032004.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x32004 | 35899 bytes |
SHA-256: d88577a6391b96d64bc214423a083c74c169dbc22dc4c888fd70140b84a97ae9 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00049135.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49135 | 35899 bytes |
SHA-256: 10945e45b573c99069ccd597678e1e6843404fe136b14875f18de308c29e0b07 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00060266.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x60266 | 35899 bytes |
SHA-256: 3f10e5743cacd72b4932e42cfcd8fc9464cbfc09e84141a5bbba9b503fbda1a9 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0007c1a1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7C1A1 | 35899 bytes |
SHA-256: 040c54ac66e565b744261e4394bbae3d5cf21bd2999ca5f4cdd8e1e72be7fa50 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000931eb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x931EB | 35899 bytes |
SHA-256: 0a73661038583fdc0b7bdbb584ba6ddbf3bee3a2b1b8666119c1613c85bb0c84 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000aa33c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAA33C | 35899 bytes |
SHA-256: 54e126d43f6e0bba3ad66adbaddeba16ea8a23af1e51c4587626d411bc9897f8 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000c148d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC148D | 35899 bytes |
SHA-256: e9f83f7fd8bcb543d30fe9aa5f6714b90349361bc1d6f3bcfc1205f3b70db1b2 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d85de.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD85DE | 35899 bytes |
SHA-256: ff14912a443887fca810fcc340caa3991f5409330ea162b6bd2b667c50291970 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.