Xls.Malware.Sload-7135989-0 — RTF malware analysis

Static analysis result for SHA-256 e9c895b7bda8d737…

MALICIOUS

RTF

790.2 KB Created: 2018-07-17 14:08:00 First seen: 2018-11-13
MD5: 50564f7bfdbe6f4c7801b67c3a31cfde SHA-1: bb3b8669e9dce26e970bff6aebf475cab91fb106 SHA-256: e9c895b7bda8d7378c8ac46965fe8038541d02f285a8d0b47fd3cb94f6ed4e84
242 Risk Score

Malware Insights

Xls.Malware.Sload-7135989-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, with heuristics indicating ".objupdate" forces OLE activation and the presence of Composite Monikers. ClamAV signatures identify the embedded content as Xls.Malware.Sload-7135989-0, suggesting an exploit targeting spreadsheet functionality. The primary attack vector is likely spearphishing, with the embedded OLE object serving as the malicious payload.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003c2b.bin rtf-objdata-decoded RTF \objdata at offset 0x3C2B 27195 bytes
SHA-256: 407f214d557abc799d9365678276789573849bf91f059fb06a0acb0d96b4bfff
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_01_off000168e1.bin rtf-objdata-decoded RTF \objdata at offset 0x168E1 27195 bytes
SHA-256: 90022147e16ef572edf0e78cbdd24b3db2798138a9917d836faee46a4eeeab1d
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_02_off00029597.bin rtf-objdata-decoded RTF \objdata at offset 0x29597 27195 bytes
SHA-256: cc50621ca7041bd0689cae8680bda6db324605ff72124db37a1b6133674ff5a4
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_03_off0003c24d.bin rtf-objdata-decoded RTF \objdata at offset 0x3C24D 27195 bytes
SHA-256: 83f4ba3a7451b46ec9663708eba7823721ef783e0146f590076cc20aae0b32a2
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_04_off0004ef03.bin rtf-objdata-decoded RTF \objdata at offset 0x4EF03 27195 bytes
SHA-256: c57504c0c1746172bf61594fdc6645151d506fb6af961beceacc54bc259ab3fb
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_05_off00062986.bin rtf-objdata-decoded RTF \objdata at offset 0x62986 27195 bytes
SHA-256: 5414ffd2773d2c2e0f2c03ee3d65cf8795284bdf6e536db5720ef6d6607922fb
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_06_off0007565b.bin rtf-objdata-decoded RTF \objdata at offset 0x7565B 27195 bytes
SHA-256: 803809858fc37944fea23525b100502ec87a39e4284e1c26ab538d5d99f1c2b6
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_07_off00088332.bin rtf-objdata-decoded RTF \objdata at offset 0x88332 27195 bytes
SHA-256: 6d7bcb01b52cc49d30c11d61ac244ac9cdf617bcea14a70476c6d7d7680bd049
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_08_off0009b009.bin rtf-objdata-decoded RTF \objdata at offset 0x9B009 27195 bytes
SHA-256: c4f3244942c682eb2a5c4acd014a5cd63bb2e7441daa900d726fecfc71f2d1d7
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_09_off000adce0.bin rtf-objdata-decoded RTF \objdata at offset 0xADCE0 27195 bytes
SHA-256: f3a3087fa4795863226c4df60f864276570667d67c7259d2f806bb43834d7203
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely