MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects, with one specifically triggering an update that exploits CVE-2017-8759. This vulnerability allows for arbitrary code execution when the OLE object is activated, likely leading to the download and execution of a secondary payload. The presence of embedded OLE objects and the specific CVE exploit indicate a malicious document designed for initial compromise.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c47.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C47 | 31803 bytes |
SHA-256: 7dda613cd5fc085c410be73393ba01fd61d06dadf208fc990b4c0f6547ff65e5 |
|||
objdata_01_off0001805e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1805E | 31803 bytes |
SHA-256: efa1e9b60508c3692a1a708adb2e14043d59fac86533058a748fc86f570ca76e |
|||
objdata_02_off0002d475.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2D475 | 31803 bytes |
SHA-256: e163fd866b31ce3b33d6beafb5cd5184a0963788cd97817bcda18000f7f99fb1 |
|||
objdata_03_off0004288c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4288C | 31803 bytes |
SHA-256: 1ea889013a05f519eb37069483390919d10d5f83f4a4c84105718da7a0c02542 |
|||
objdata_04_off00057ca3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x57CA3 | 31803 bytes |
SHA-256: 45561eae5019b387c757cda0a61e7f38c0f4f1f9b3b2fd2947800a394da208bc |
|||
objdata_05_off0006d0c1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6D0C1 | 31803 bytes |
SHA-256: d443f1a03844fc8174b217c9ad4e47ca4eaca589a78fcc43de365d91931f31cf |
|||
objdata_06_off000824d8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x824D8 | 31803 bytes |
SHA-256: 46f4cdc11f73f22916ad598eab9f26eccf6547af97df49aa149806ae7dd9be3c |
|||
objdata_07_off000978ef.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x978EF | 31803 bytes |
SHA-256: 437bf1aacca533ad8f8645d7bc9b3b096a1abe78a7fef79bdb5325df8bea0772 |
|||
objdata_08_off000acd06.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xACD06 | 31803 bytes |
SHA-256: f6d73fc36e32bf71d1ded8522869ff0d27d7e1039ca36cfc23dd9c8ea9439be5 |
|||
objdata_09_off000c211d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC211D | 31803 bytes |
SHA-256: e9ac66e7c5abe2978d6eaddc2bc763835f98610cb718458d56d1c9095f9ec9cf |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.