Malicious RTF — malware analysis report

Static analysis result for SHA-256 24346ebead2ec6ea…

MALICIOUS

RTF

476.9 KB Created: 2018-05-10 16:12:00 First seen: 2021-02-23
MD5: 86210e53ed1942ad6dac5bb9c0844290 SHA-1: b93bed2e799817d49eeeb2cb09099f0c17b233a4 SHA-256: 24346ebead2ec6ea37b27c0939902b570698a2455170ba7ca2d0e9f3c9dac785
202 Risk Score

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 6 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c1e.bin rtf-objdata-decoded RTF \objdata at offset 0x2C1E 33339 bytes
SHA-256: 0998169e7c7294473bcb9e862e61c550c26b7b00de24a4df2a3f2ac4116334ad
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b3a.bin rtf-objdata-decoded RTF \objdata at offset 0x18B3A 33339 bytes
SHA-256: 1f4d841fe26810c80b0a26bfeec56b7d93a57752dd52ac011ce5bffaea58cd3e
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea56.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA56 33339 bytes
SHA-256: cdb558ce1dc320befcce94c057e40e31d4c4b2d71538652896127802e89e868c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00044972.bin rtf-objdata-decoded RTF \objdata at offset 0x44972 33339 bytes
SHA-256: aa4058fc948589765cb3262d8330473b5fc61c0cf0357252759549d056cf538a
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a88e.bin rtf-objdata-decoded RTF \objdata at offset 0x5A88E 33339 bytes
SHA-256: 42ed4130250f7ac306d3f9febb8f2889906cdf67f1eb25ffaede83762793d3ff
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707f6.bin rtf-objdata-decoded RTF \objdata at offset 0x707F6 13686 bytes
SHA-256: b0db4a1b434aceff2475ef895a2077afd844159e620b57e8bbfca88a82b77f72