RTF malware analysis — malicious · 47c3d2feb6896024

MALICIOUS

RTF

2.73 MB Created: 2018-01-25 13:56:00 First seen: 2021-02-23

MD5: d6dcd551253dd95dc6d8ef93ee52aea3 SHA-1: aeef07b4ea61ee69b5f017afdfc8abd100a57b7e SHA-256: 47c3d2feb6896024d10b0ec207fa1bce60d4dc46f4efbcdb61d266989780dee8

244 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains numerous embedded OLE objects with significant amounts of hex-encoded data, a common technique for hiding malicious payloads. ClamAV detections like Doc.Macro.Obfuscation-6391394-0 further indicate malicious intent. The presence of embedded OLE objects and the potential for exploitation strongly suggest this file is intended to deliver a second-stage payload.

Heuristics 7

ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1115KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 10 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002bfd.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2BFD	136241 bytes
SHA-256: `bc013aea494819d3e3bb470d99ca8ae63f5e271920523f9c9301c9d5a6660e3f`
Detection ClamAV: Doc.Macro.Obfuscation-6391394-0 Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.
`objdata_01_off00047936.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x47936	136241 bytes
SHA-256: `c4f278e317c6d8668a455997bddd4592f3b00175adeb63652cf42f7bee1d031a`
Detection ClamAV: Doc.Macro.Obfuscation-6391394-0 Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.
`objdata_02_off0008c5e5.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x8C5E5	136241 bytes
SHA-256: `3a542b54b59de39154d0a82d84ef7cb0733c4c07b5d955ed212b1357bff10ae3`
Detection ClamAV: Doc.Macro.Obfuscation-6391394-0 Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.
`objdata_04_off00115f43.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x115F43	136241 bytes
SHA-256: `de4d8efd3dae372a39c411156d5efe9d2b4272f6c9dee74b5fd56976954fb7b1`
Detection ClamAV: Doc.Macro.Obfuscation-6391394-0 Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.
`objdata_06_off0019f8a1.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x19F8A1	136241 bytes
SHA-256: `f884acc264a5bb50084e637c9ea78de45508cd6c28d4c90b938720adb10632b8`
Detection ClamAV: Doc.Macro.Obfuscation-6391394-0 Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.
`objdata_08_off002291ff.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2291FF	136241 bytes
SHA-256: `1e169c50936fd827539cb6dd8a0faa4dd5e601c991a11c915a30abd85531fb42`
Detection ClamAV: Doc.Macro.Obfuscation-6391394-0 Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.
`objdata_09_off0026deae.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x26DEAE	136241 bytes
SHA-256: `83e280112239dff4df8de09091600ab78574f13b0a7fdb286a9110a824d0d57f`
Detection ClamAV: Doc.Macro.Obfuscation-6391394-0 Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.