Malicious RTF — malware analysis report

Static analysis result for SHA-256 180734591883412d…

MALICIOUS

RTF

675.4 KB Created: 2017-11-01 09:13:00 First seen: 2021-02-23
MD5: 027b465ca40a52bb96c9f53e831be0bc SHA-1: 0ca37461ab2cf002133cceaf6811fd679b5b44e6 SHA-256: 180734591883412d5ad4db3f768b59e7e918fcc987915fb130e72077a27f15a0
202 Risk Score

Heuristics 5

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a83.bin rtf-objdata-decoded RTF \objdata at offset 0x2A83 21057 bytes
SHA-256: 9ac76590ac2f02b639b9c608dc20b04fccc2988d0c878183986d13e63f54aae6
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00012890.bin rtf-objdata-decoded RTF \objdata at offset 0x12890 21057 bytes
SHA-256: 34580d2f43443a00cbdf91191d9e465fc3650391e88e111609a51fb602dc24fa
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off0002269f.bin rtf-objdata-decoded RTF \objdata at offset 0x2269F 21057 bytes
SHA-256: d0cf4de9799be5109a9ebb868fd0ec9d6cf16e1ef6cb0c52a91da577af6f13b0
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000324ae.bin rtf-objdata-decoded RTF \objdata at offset 0x324AE 21057 bytes
SHA-256: de8660fc7989dcc997a79b2e8faa1d1b2077472959d331e18616c9243cd5064d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off000422bd.bin rtf-objdata-decoded RTF \objdata at offset 0x422BD 21057 bytes
SHA-256: b2678a12c6c6770efcc30cab5a755d83741a788fd2664241f46d6ef8e56ea6b7
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off000520cc.bin rtf-objdata-decoded RTF \objdata at offset 0x520CC 21057 bytes
SHA-256: dace8a0ae05b4b3fbd553b300696a28d88c2beee6a89d45ad95c63483ab6ad19
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00061edb.bin rtf-objdata-decoded RTF \objdata at offset 0x61EDB 21057 bytes
SHA-256: 09408842e27a1809a7c7b784b6abd4ce8a9d43b7d325d7f72b9c7f4cb9eed677
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off00071cea.bin rtf-objdata-decoded RTF \objdata at offset 0x71CEA 21057 bytes
SHA-256: 0a0c3609512ea2a9ab72a1e478d337ef848faf66144839f4f2485bbba6bfbdb4
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off00081af9.bin rtf-objdata-decoded RTF \objdata at offset 0x81AF9 21057 bytes
SHA-256: 1dd9d6c4fc3fad19c4d079746ae6a95e9609ae5cddcf36e1815105e3853fa341
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off00091908.bin rtf-objdata-decoded RTF \objdata at offset 0x91908 21057 bytes
SHA-256: ba4724ac80a8eba7f069934f4a6fe1215544a6a4bd4f97a28f18f404c8221135
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely