Malicious RTF — malware analysis report

Static analysis result for SHA-256 0a875b984e6f2878…

MALICIOUS

RTF

889.1 KB Created: 2018-04-09 06:14:00 First seen: 2021-02-23
MD5: 3f607dd499ee05f38c0966ec0d070f9c SHA-1: e25b72bf9278cd0d4ca6b1aec72109d3a7cf3e22 SHA-256: 0a875b984e6f2878f201c5955f5f36a4e412489d03071864b0dc615e5cf55276
242 Risk Score

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 11 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00004eb0.bin rtf-objdata-decoded RTF \objdata at offset 0x4EB0 29243 bytes
SHA-256: 8977ef07147e0cb22b6e57b3c98292e428e773d5b2166771b7ac6ed79b0b2792
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off000159f8.bin rtf-objdata-decoded RTF \objdata at offset 0x159F8 29243 bytes
SHA-256: b5422396e58ddb39c875021d43938e3d4b0fe08248bea393f6d1981d8f7225ac
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off000272fe.bin rtf-objdata-decoded RTF \objdata at offset 0x272FE 29243 bytes
SHA-256: ef29aac08b39e323bccf321a3e67a629ed1a946e72ab670f3ec2fb588797b03d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off0003afa5.bin rtf-objdata-decoded RTF \objdata at offset 0x3AFA5 29243 bytes
SHA-256: 9f101b1a94665a68b0c9ab96eea1aba810c372f7de71663f656d23612a22e94c
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off0004ec4e.bin rtf-objdata-decoded RTF \objdata at offset 0x4EC4E 29243 bytes
SHA-256: 54da05a634d8a92428a583b789de7c408597e6aec8bcd276ab14ec122c80aa2a
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off000628f7.bin rtf-objdata-decoded RTF \objdata at offset 0x628F7 29243 bytes
SHA-256: bcf1f254237ba2eed6b822e8a0893d7d901fc6238397d25cd5274ea32ab027fd
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off000765a0.bin rtf-objdata-decoded RTF \objdata at offset 0x765A0 29243 bytes
SHA-256: 05b99ca3d2da4f257ea8bc6aadd92b34314a6f7a0559a3005e2e425107987524
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off0008a249.bin rtf-objdata-decoded RTF \objdata at offset 0x8A249 29243 bytes
SHA-256: bb5b6061297059a6e322699b92d677a91539ed5ee64f91d336698f3af5ac4e45
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off0009def2.bin rtf-objdata-decoded RTF \objdata at offset 0x9DEF2 29243 bytes
SHA-256: 013e06fecd1c3fdc1ea3bfa162253d3820e8b20961812325675b85fc4119b6ef
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off000b1b9b.bin rtf-objdata-decoded RTF \objdata at offset 0xB1B9B 29243 bytes
SHA-256: d25702d3f675a7d684f0de45d29cf063906d4011226be7be983f15c6bf6d4404
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_10_off000c5844.bin rtf-objdata-decoded RTF \objdata at offset 0xC5844 29243 bytes
SHA-256: 3c9cf054994d9d77d2cb6c90efb434bbcd27c1f74ae880a677f1a9858254e959
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.