MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate, which is a strong indicator of exploitation. The critical heuristic firing for CVE-2017-8759 confirms the exploitation of this specific vulnerability to achieve code execution. The embedded benign URL is not considered a malicious IOC.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c3e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C3E | 26171 bytes |
SHA-256: 2168fd269d6a365dcbf1b98c55482e76233b51f20d876d2575805c3db3729f98 |
|||
objdata_01_off0001584f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1584F | 26171 bytes |
SHA-256: 4fc19de7888f34def225b35abb56a159b559009bdccc5018b91a9310d2434d89 |
|||
objdata_02_off00028460.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28460 | 26171 bytes |
SHA-256: e6174de823241c4f4f77e0fd216487d8a7b80fe069b556a76e2151641c736dac |
|||
objdata_03_off0003b071.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3B071 | 26171 bytes |
SHA-256: 7ecac4f3af6791b691f202d847e90eb4e74bae4c65b3102f74ceeebd34c0ee7e |
|||
objdata_04_off0004dc82.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4DC82 | 26171 bytes |
SHA-256: 1065e2815e2535ebd0594cd99fbb7538b175c946f140db5851e5711c2792e681 |
|||
objdata_05_off000608db.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x608DB | 26171 bytes |
SHA-256: 3e4c104d7387ed60e9f051f0493194a9870776f33a7e1a5b355576a6f9a69d4e |
|||
objdata_06_off000734ec.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x734EC | 26171 bytes |
SHA-256: 9edfc40dc4f021020daf3ba064440d5f62eaccc5c0dbc7069ad67bbf3082ebb5 |
|||
objdata_07_off000860fd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x860FD | 26171 bytes |
SHA-256: 3aba8925f6b095f2ee8ad0eb1e6710a45e3ba941cb7353e7a90b95aa9eec275c |
|||
objdata_08_off00098d0e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x98D0E | 26171 bytes |
SHA-256: 2ee22cd2fe3d957f17d28f85e2512833fc0318bc2dbb2e01ebd651e1d04ecd31 |
|||
objdata_09_off000ab91f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAB91F | 26171 bytes |
SHA-256: 6e99bf85aaef54184645aae77a5922468d8a15b36e00b7faa98bc54df915d16f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.