Malicious RTF — malware analysis report

Static analysis result for SHA-256 0665e25e7438ce0a…

MALICIOUS

RTF

1.23 MB Created: 2019-09-17 13:59:00 First seen: 2021-02-18
MD5: 6d6f18eebe3938333c20155a817bd572 SHA-1: 51578db4d9134ae03b0407f167cce7c2609bec73 SHA-256: 0665e25e7438ce0a256e6b75eb632093efada98d4e1ca122b71ea4a83a0bffc6
142 Risk Score

Heuristics 5

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0013a68e.bin rtf-objdata-decoded RTF \objdata at offset 0x13A68E 2363 bytes
SHA-256: 017409edbc295de5d7ae255db5f9014a8516e568dc662f9340d7a4303388b8e9

Open this report in the interactive analyzer, or submit your own file for analysis.