MALICIOUS
282
Risk Score
Heuristics 7
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1005KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003da8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3DA8 | 35899 bytes |
SHA-256: 24ffd7c705b66af2733b3c417ed945fc30174726126d4d41eb3198cb21ec8341 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001aee0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AEE0 | 35899 bytes |
SHA-256: d2f0adfa4341142b5f5d6ea21cda7bb98e990a3a43ecba987ee9c9d671d0b856 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00032018.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x32018 | 35899 bytes |
SHA-256: 4a2cdb4f2add8151e1cdcf6b0047cb847b0ff7aa1079ad549fd41818cc7fc9d1 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00049150.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49150 | 35899 bytes |
SHA-256: 9639b46250d6b027ac3837ce0cf6ec6b5bf04a2b0f2fd5ff86540ac7b892ebc9 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00060288.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x60288 | 35899 bytes |
SHA-256: 01d7040121bc58a838db1f614012346ca890f3c625d9f96d2ff162184ca4da43 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0008ab71.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8AB71 | 35899 bytes |
SHA-256: 2f37cf136b325517d61f6dcf0c56baac5b3f32f7cecab5e99adef76098743e0d |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000a1cc9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA1CC9 | 35899 bytes |
SHA-256: 3877a1e01092b29ba45e6cb399b6453bb1dbbfc989fc10e3d9ebf453845c099f |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000b8e21.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB8E21 | 35899 bytes |
SHA-256: a2ed033d27e197f7465ae12637102481779859d807cfc89e364c812580d30ce2 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000cff79.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xCFF79 | 35899 bytes |
SHA-256: 707862cf51ffc5a97e81be19aed4a4941fd61f1efd86f5c31e3ca4904e149ba0 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000e70d1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE70D1 | 35899 bytes |
SHA-256: 0328c43b62a3eb98f4eaf8ffc9986e8715c1a567132625cce96b7377a5fa9b7f |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.