Malicious RTF — malware analysis report

Static analysis result for SHA-256 3b263e971de9f88b…

MALICIOUS

RTF

821.3 KB Created: 2018-04-16 01:18:00 First seen: 2021-02-23
MD5: 62a0764a834cb504ca6c6f5db402a986 SHA-1: 784c550d3da319b20932b544d4c67368719d5991 SHA-256: 3b263e971de9f88b16297d5f6c74c4ee483d029fdb484ab9051b887b42c312d7
82 Risk Score

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c4d.bin rtf-objdata-decoded RTF \objdata at offset 0x2C4D 27707 bytes
SHA-256: 89e31e61ae6a88e22bb88c6e9db9df9780b95356846904b2fc7a0faffee2e317
objdata_01_off00016484.bin rtf-objdata-decoded RTF \objdata at offset 0x16484 27707 bytes
SHA-256: 92b7ab3a9ffcc2f3c76843c42c432896bf73ef6145f5a5613fd8e3766696d79e
objdata_02_off00029cbb.bin rtf-objdata-decoded RTF \objdata at offset 0x29CBB 27707 bytes
SHA-256: 8b39ddf09c92b4cb6bb098d379c442e9a60cb5643076a5c1a1bd22147e4a8427
objdata_03_off0003d4f2.bin rtf-objdata-decoded RTF \objdata at offset 0x3D4F2 27707 bytes
SHA-256: 49a947bc019d6fb6527dcf89e472146ed0a0f8975f93f6e4bb013cfad136bde8
objdata_04_off00050d29.bin rtf-objdata-decoded RTF \objdata at offset 0x50D29 27707 bytes
SHA-256: 8fcc0444dd36acb3ee088e43c6f488d71755f9b41ac25e679ec2fd38494aef68
objdata_05_off000645ac.bin rtf-objdata-decoded RTF \objdata at offset 0x645AC 27707 bytes
SHA-256: 1cdb3fc1841b1ccee89d507d09722bc6cde2ae78def8245349c9beb7517fdce6
objdata_06_off00077de3.bin rtf-objdata-decoded RTF \objdata at offset 0x77DE3 27707 bytes
SHA-256: ffe174552a8392fe13c3774ddb7a1c4af2aa5ffbf108791a2508a8801f9ba9b0
objdata_07_off0008b61a.bin rtf-objdata-decoded RTF \objdata at offset 0x8B61A 27707 bytes
SHA-256: 25272c940378d0356e1b4021dd6a68e160e33a0b856659ef8435b35266894e6d
objdata_08_off0009ee51.bin rtf-objdata-decoded RTF \objdata at offset 0x9EE51 27707 bytes
SHA-256: c44523ffbf95f8fd10ca3014a592ce0179631b274b44d98bca746fbc97d0df26
objdata_09_off000b2688.bin rtf-objdata-decoded RTF \objdata at offset 0xB2688 27707 bytes
SHA-256: ec4859b10facdd00aafb5fa1faa655352ce96e21d810574cdfee55f39f7f9022