Xls.Malware.Sload-7135989-0 — RTF malware analysis

Static analysis result for SHA-256 d2263fe668e1a318…

MALICIOUS

RTF

789.7 KB Created: 2018-07-17 14:25:00 First seen: 2019-03-18
MD5: eb237a834a32fc3e0a88dded7e94f838 SHA-1: 42743412cda477228c4287c64ef86e9cec30ed8d SHA-256: d2263fe668e1a318b21323718708ee06317ea7ec14b834c93586d6588fe48ea8
242 Risk Score

Malware Insights

Xls.Malware.Sload-7135989-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, with heuristics indicating ".objupdate" forces OLE activation and the presence of Composite Monikers. ClamAV signatures identify the embedded content as Xls.Malware.Sload-7135989-0, suggesting an exploit targeting spreadsheet functionality. The primary attack vector is likely spearphishing, with the embedded OLE object serving as the malicious payload.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003c43.bin rtf-objdata-decoded RTF \objdata at offset 0x3C43 27195 bytes
SHA-256: 24e32e594d39908b0b97fdea5d23f45363f852469c4ce0fc2d4232db8034f784
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_01_off000168b3.bin rtf-objdata-decoded RTF \objdata at offset 0x168B3 27195 bytes
SHA-256: 0275761ce5833de859f5337caea4d7c826f4277742bcee472d7b59de0dfd7d00
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_02_off00029523.bin rtf-objdata-decoded RTF \objdata at offset 0x29523 27195 bytes
SHA-256: c1b58c414dbf21d3ca729561359b955daed433df826ea6857742c703cadb35fd
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_03_off0003c193.bin rtf-objdata-decoded RTF \objdata at offset 0x3C193 27195 bytes
SHA-256: ec3083b8aa5cba77cc6afed3d6b775508d8808141deb095547c171eec705891b
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_04_off0004ee03.bin rtf-objdata-decoded RTF \objdata at offset 0x4EE03 27195 bytes
SHA-256: ef38daaf1129737e907423009a67ce58c3e7bf4dfaaf65fcf338e3eae5a31360
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_05_off0006288f.bin rtf-objdata-decoded RTF \objdata at offset 0x6288F 27195 bytes
SHA-256: e9a29cb39e03b98471b79239cd1b25c7c5787c723dede15345ef2ea0307d5828
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_06_off0007551e.bin rtf-objdata-decoded RTF \objdata at offset 0x7551E 27195 bytes
SHA-256: 4ff5279f06003c5112ed4e014026ed9c4c9e8b7ee03802c57e75816b9485e3f9
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_07_off000881af.bin rtf-objdata-decoded RTF \objdata at offset 0x881AF 27195 bytes
SHA-256: 8f862034f6c28519e7431f5663c11698b979508c22b0936f1f52018ad7e3fb76
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_08_off0009ae40.bin rtf-objdata-decoded RTF \objdata at offset 0x9AE40 27195 bytes
SHA-256: 0bdd554754f5fe92c8c8e6e12b430535bc4191d76b6058dc0b04b9310cf30cc2
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_09_off000adad1.bin rtf-objdata-decoded RTF \objdata at offset 0xADAD1 27195 bytes
SHA-256: 2e27efd3318155c02303b8c3a0f501d3c03d1d67f72a1a98643ccde73ccd07ba
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely