MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003da7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3DA7 | 35899 bytes |
SHA-256: 241b6c4ee382a36c4f860c83af54bd349e6fe19fad6943e709185462809324f7 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001aed8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AED8 | 35899 bytes |
SHA-256: 6c53bee429fcb53e9bd4b2632334605dfdfca8838682aa2820e802e876ba9fbf |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00032009.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x32009 | 35899 bytes |
SHA-256: 170208838bdaf75fac4903e0c28b0090c4fd523ca0ede6b41c06c115d177413c |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0004913a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4913A | 35899 bytes |
SHA-256: c229fef3b712f1417fb1ead9563fe281ff9108661155e22926453b11e2b0ccd5 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0006026b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6026B | 35899 bytes |
SHA-256: cef7c1263791208049997a68c79f84a09161e888d38cedc5998f586b83964a65 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0007e89d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7E89D | 35899 bytes |
SHA-256: 274be123eb6edf32891121a5fbdeab6c0fdb0ab066a606fced4405e5e89f6108 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000959ee.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x959EE | 35899 bytes |
SHA-256: 5a08f03e80fc135913633b0d154e20cc4413785d3732fbe5e6043d4407761a22 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000acb3f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xACB3F | 35899 bytes |
SHA-256: 794f9d3eccd43e4ab7549f3d76452a384aa977c597806aa5b05131ccdf241ef8 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000c3c90.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC3C90 | 35899 bytes |
SHA-256: 14b2409ebe9d16291582814cee4b61eef03914d5340eb35cd56cda3ca75c6a35 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000dade1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xDADE1 | 35899 bytes |
SHA-256: 0c200b81ab30f6380553f65bdb34b4823a61aa48a33ef677926efa5fca68dc86 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.