Malicious RTF — malware analysis report

Static analysis result for SHA-256 4c411718c6083506…

MALICIOUS

RTF

500.8 KB Created: 2017-12-08 05:27:00 First seen: 2021-02-23
MD5: 0ed55f706017ceea880de981c5169d22 SHA-1: 45a0441ab37485b37a3395fcf26926d37c87c096 SHA-256: 4c411718c6083506d89747cb2aa0eed045911730d1fc9f128be9e2c058eeb4ed
102 Risk Score

Heuristics 4

  • ClamAV: Doc.Exploit.DDEautoexec-6346603-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6346603-1
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000035b4.bin rtf-objdata-decoded RTF \objdata at offset 0x35B4 19505 bytes
SHA-256: 8ea3c9778fb8ef94876a9c66c5edb3ad2973412c7376f95917841933e13a9f32
objdata_01_off0000ead0.bin rtf-objdata-decoded RTF \objdata at offset 0xEAD0 19505 bytes
SHA-256: 46dfa7c95ecc22c429606376c3b5f1c3b75b039ea6cc0473322460dfc4962748
objdata_07_off00052979.bin rtf-objdata-decoded RTF \objdata at offset 0x52979 19505 bytes
SHA-256: 9aa9010011263768a76c35e4e0f1fb2d13c5e3b785db58c5488574432f434c50

Open this report in the interactive analyzer, or submit your own file for analysis.