MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF document contains OLE object data and triggers a critical heuristic for CVE-2017-8759, indicating exploitation of a SOAP Moniker vulnerability. This vulnerability is used to execute arbitrary code, likely to download and run a secondary payload. The presence of ".objdata" and ".objupdate" sections further supports the exploitation of embedded OLE objects.
Heuristics 3
-
SOAP Moniker — CVE-2017-8759 (SOAP WSDL RCE) critical CVE_2017_8759RTF \objdata decodes to OLE data containing the SOAP Moniker — CVE-2017-8759 (SOAP WSDL RCE) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000003c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C | 50036 bytes |
SHA-256: d9718da86256fc604039428d84e3a2dbe8f707b3e6f96448b4bf17b55723fc9b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.