Malicious RTF — malware analysis report

Static analysis result for SHA-256 08e8b97e21ed963c…

MALICIOUS

RTF

1.39 MB Created: 2018-06-19 12:02:00 First seen: 2021-02-23
MD5: b50c0c22797745b3efefca6fb2dde963 SHA-1: d3fd7e07cbe339ba457dc31e52f08b4e53b6f493 SHA-256: 08e8b97e21ed963cf3651d05ce48d0fd58a686260c72cb539ea8eec6d2d6dcf6
282 Risk Score

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1006KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 15 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003d34.bin rtf-objdata-decoded RTF \objdata at offset 0x3D34 35899 bytes
SHA-256: febd0ca01fc9b6d05184e8c7edc9fe1a138b5933d99d609acb4adff14b730764
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_01_off0001ae2e.bin rtf-objdata-decoded RTF \objdata at offset 0x1AE2E 35899 bytes
SHA-256: 88f62046b5eb4287e407d6080fa48fde278c57247388854df6ec7d47aa7a33b3
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_02_off00031f28.bin rtf-objdata-decoded RTF \objdata at offset 0x31F28 35899 bytes
SHA-256: d100251671676db0eae3fff78092f7c5928731214b892232e2e4e6c000d5ff98
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_03_off00049022.bin rtf-objdata-decoded RTF \objdata at offset 0x49022 35899 bytes
SHA-256: 7f85712cfa079304a7c28f7a4f10d11e3afbffaf58372731d620e344854776e1
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_04_off0006011c.bin rtf-objdata-decoded RTF \objdata at offset 0x6011C 35899 bytes
SHA-256: 3bf0bb6b9cb5daaea403f6f603c2f8ec1f1ddc929f8d190ebafccd27168e6b77
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_05_off000772ec.bin rtf-objdata-decoded RTF \objdata at offset 0x772EC 35899 bytes
SHA-256: 77ce4488ae7de644b6be69159d31d7247df14c7dfdf519d863d90341fa4beb2e
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_06_off0008e3e4.bin rtf-objdata-decoded RTF \objdata at offset 0x8E3E4 35899 bytes
SHA-256: dafe57d271a3f473d82f84eaccc1c71ad20d27a3dbcc43f97dc80b8e1d656b02
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_07_off000a54de.bin rtf-objdata-decoded RTF \objdata at offset 0xA54DE 35899 bytes
SHA-256: c681b7d45ce1d6615f3785ceff62e2780a5caf122488db9fec088ec12d0a5a4a
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_08_off000bc5d8.bin rtf-objdata-decoded RTF \objdata at offset 0xBC5D8 35899 bytes
SHA-256: ec311b35f995fe174a9fc6fa13699f8ae54511d7e98cd6b8bdacdb4ed9240e31
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_09_off000d36d2.bin rtf-objdata-decoded RTF \objdata at offset 0xD36D2 35899 bytes
SHA-256: 40a3b4dbf18095ebab53357144dbc7966a959f1cf715afb563cae404b2d35735
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_10_off000eb5e8.bin rtf-objdata-decoded RTF \objdata at offset 0xEB5E8 35899 bytes
SHA-256: 094ef881fbef38f9fdfa1a84318f14793310e27fb9fe9a1a6209f7e214fa8b46
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_11_off00102700.bin rtf-objdata-decoded RTF \objdata at offset 0x102700 35899 bytes
SHA-256: d66b713669e41975847f7f9c81b9db8cad213d9ec7a563d7cedb483d76ad8950
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_12_off0011981a.bin rtf-objdata-decoded RTF \objdata at offset 0x11981A 35899 bytes
SHA-256: e2d050045b53f94004f6c52b94e157f0b15795dd5c204c763f1eea12bc790841
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_13_off00130934.bin rtf-objdata-decoded RTF \objdata at offset 0x130934 35899 bytes
SHA-256: bbda6c5909f8ea35fa9c90132ab4a8166f68f08dc3324ec77ddcc285e0a0bd54
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_14_off00147a4e.bin rtf-objdata-decoded RTF \objdata at offset 0x147A4E 35899 bytes
SHA-256: 93256636726bb6862da197c7f408da333f82e8cc4bb1a778345d60919eb9b5cf
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.