Malicious RTF — malware analysis report

Static analysis result for SHA-256 0520c30ee894815f…

MALICIOUS

RTF

355.5 KB Created: 2018-04-29 08:06:00 First seen: 2021-02-23
MD5: df980f4b2ab2917282d3e6f9ff9a96a1 SHA-1: 070d32076e5c060365d702b8db8d721e3df87375 SHA-256: 0520c30ee894815fdfb27f314a081a7fda404ca4f37b1d838e5e99c946781f24
242 Risk Score

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000291d.bin rtf-objdata-decoded RTF \objdata at offset 0x291D 25147 bytes
SHA-256: 67d9f7ccca6b56f3a381cff5b6ed1010eaf6b20a207f9520a158de76f63a8378
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00014508.bin rtf-objdata-decoded RTF \objdata at offset 0x14508 25147 bytes
SHA-256: 41546d8d317d957647ff55847414c50f114368d65cd9248c320f4f862215ce5c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002616f.bin rtf-objdata-decoded RTF \objdata at offset 0x2616F 25147 bytes
SHA-256: 1411db758d97c07c817305710c7539f19d341087583bf2a06bc7510ede3c57e5
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00037dd8.bin rtf-objdata-decoded RTF \objdata at offset 0x37DD8 25147 bytes
SHA-256: 0b5080ff4b5247bf8e808400351811b2af225036c5dc9173dcdcf060f092230f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off00049a41.bin rtf-objdata-decoded RTF \objdata at offset 0x49A41 25147 bytes
SHA-256: 8292d1ff2325d14d4880efcd330dd3a92d00ee1abf39f79a73f7f9b4dbf5b9ba
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.