MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003d2a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D2A | 35899 bytes |
SHA-256: 7f20f9bd39ee939bb40ebde988fb52665938fd1c9201639ef802b1805477111e |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001ae48.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AE48 | 35899 bytes |
SHA-256: 362e8d1c99afbec0e5389b27148692719713b8c225cb0f35c40b611292a31086 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00031f66.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31F66 | 35899 bytes |
SHA-256: 68fc7f22cf63062954bd20651e5e9966a965716b39f810887d69c09a9ef5886e |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00049084.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49084 | 35899 bytes |
SHA-256: 9acaa5726ffa511dc40704822415ddd02f74d557ba4b6a0ca396a9e83ff044fc |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000601a2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x601A2 | 35899 bytes |
SHA-256: cd109ca8cf9702e1730c3ab77763db80edef0bb0ee18dbd672423a620be19ca3 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000772c7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x772C7 | 35899 bytes |
SHA-256: 0bfbb6bd240ae766f2bad003cd9ce3a648e723c4e47ae0083ea61394788aa0b8 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0008e3e5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8E3E5 | 35899 bytes |
SHA-256: 60df28a0b21a4819bd2a1d9381b382a8bfb9cda0f40b1e49ddc2230a6e18b401 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000a5503.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA5503 | 35899 bytes |
SHA-256: 77249ecb0a12beae21962538aaf91eb8296935f6c8d9c54fa8ebf7a3253329c4 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000bc621.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBC621 | 35899 bytes |
SHA-256: 2d4aee2b5ed708090f14ec6be7735bfbbefb2b546445a0ed249e27a55fb3af52 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d373f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD373F | 35899 bytes |
SHA-256: c1ae3e0230e9b52f30322f1b5c9cc16bedf7bd3569114d4eb10fc30253617376 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.