Malicious RTF — malware analysis report

Static analysis result for SHA-256 28b40d023347ae8e…

MALICIOUS

RTF

961.4 KB Created: 2018-06-19 12:01:00 First seen: 2021-02-23
MD5: 6fb9822d9d6bbc93c0c24750baeee3b4 SHA-1: 8ea6c655f60b9227f3818286af79e16de1765d20 SHA-256: 28b40d023347ae8e19986e50ef5d972435cb78f1f2f971eb7f3d4e7c4ca7b48c
242 Risk Score

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003d75.bin rtf-objdata-decoded RTF \objdata at offset 0x3D75 35899 bytes
SHA-256: e6938906385aeea15b85d76b91f7f199126c3ac2b68962de3390cb8766b02ac6
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_01_off0001ae6b.bin rtf-objdata-decoded RTF \objdata at offset 0x1AE6B 35899 bytes
SHA-256: 09c45348c450e3aa18eac2c4747b9c4fabac75bc66107e65472fec4029cd2eff
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_02_off00031f61.bin rtf-objdata-decoded RTF \objdata at offset 0x31F61 35899 bytes
SHA-256: 52cb251f98f77517076deb01fe9ecb0a24f431144fa2f75017625c325f04f39c
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_03_off00049057.bin rtf-objdata-decoded RTF \objdata at offset 0x49057 35899 bytes
SHA-256: 3eabc263d9b5062b06df490bb73e70de26baba86d413fbeb2e5caa3a670f17b2
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_04_off0006014d.bin rtf-objdata-decoded RTF \objdata at offset 0x6014D 35899 bytes
SHA-256: de754c9e0b69e825d94fef9081bd804714ee0b3fd3b7e59a91ff66f81562b5d8
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_05_off0007805a.bin rtf-objdata-decoded RTF \objdata at offset 0x7805A 35899 bytes
SHA-256: 335ce98680fca86263655c593dd265ffe5e76b46d9e5359b10cbd4ea13f04155
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_06_off0008f16e.bin rtf-objdata-decoded RTF \objdata at offset 0x8F16E 35899 bytes
SHA-256: 7747011c54f63aeb300eb28b50bbc91936279fb0e346fce543432d9f2169e240
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_07_off000a6284.bin rtf-objdata-decoded RTF \objdata at offset 0xA6284 35899 bytes
SHA-256: c8933c5f34c8a8a274eb9de48eb3cb9e3153dee014a8c490cef08ebc6129e543
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_08_off000bd39a.bin rtf-objdata-decoded RTF \objdata at offset 0xBD39A 35899 bytes
SHA-256: 39e5734e92eab68d8a60eb5bcf75910c75c533cdba0416c1f6565d91f1760899
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_09_off000d44b0.bin rtf-objdata-decoded RTF \objdata at offset 0xD44B0 35899 bytes
SHA-256: 16299e96c4491aa6ded26ee509848f3ae89d7bc9e7257307fa2387d3d21a5db3
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely