MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains numerous OLE objects and uses \objupdate to force OLE activation, strongly indicating exploitation of CVE-2017-8759. This vulnerability allows for arbitrary code execution when a vulnerable MSXML version processes the embedded OLE object, likely leading to the download and execution of a secondary payload. The presence of large hex data blocks within the OLE object further suggests the hiding of malicious content.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1002KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000ef51f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xEF51F | 17473 bytes |
SHA-256: 7c9e7aa9fae1c96ef5ef6812a6be245909d8c587c46daee1fa624bdca927660f |
|||
objdata_01_off000fd73a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xFD73A | 17473 bytes |
SHA-256: 70fbac1074507ed8ffeb60e1b5a3e563b173235f5d71981574749daeaa5e452d |
|||
objdata_02_off0010b957.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x10B957 | 17473 bytes |
SHA-256: 9ed93bad687e97717eb57f2316ae1d0b8b681d1bc516ffff63d1412963758c45 |
|||
objdata_03_off00119b74.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x119B74 | 17473 bytes |
SHA-256: ae58d733a11060565c44353989a4938b82cd6ba2a3be5ebcb23619c219d62668 |
|||
objdata_04_off00127d91.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x127D91 | 17473 bytes |
SHA-256: 66273bd7966b82dcb895e446e88ff74241a3c66303e4d877a46b12511881e609 |
|||
objdata_05_off00135fae.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x135FAE | 17473 bytes |
SHA-256: a1c88c5cb510397c2a69fafcdc1a6ebd7e4fbe70d102695b28342bab39b5c5f5 |
|||
objdata_06_off001441cb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1441CB | 17473 bytes |
SHA-256: 2d6a2cf2cae14413b290a87ead4287959a672a86b486a086d55fee6b6348e5bb |
|||
objdata_07_off001523e8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1523E8 | 17473 bytes |
SHA-256: 8d9d8c8e8ab8c40437d601d112759ffa10e8395ef5302bb4b6f65092f13f21ec |
|||
objdata_08_off00160605.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x160605 | 17473 bytes |
SHA-256: 04a8e7ae8c384832472e801f8ee8e2de58a05c0b7ca4b69e082e12a9b8523016 |
|||
objdata_09_off0016e822.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16E822 | 17473 bytes |
SHA-256: 1f1f33a98e2c4f0e45ced993cd06d3d4106a3aa957b6453eddd188d1fea8a6ed |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.