Malicious RTF — malware analysis report

Static analysis result for SHA-256 4eb5a28d72f55c6e…

MALICIOUS

RTF

1.45 MB Created: 2018-06-01 14:31:00 First seen: 2021-02-23
MD5: 7f51124e0d15008cacd0a407d2ca9bf8 SHA-1: a6ff9802cfd25ff79a5c3348a233f56223b4659b SHA-256: 4eb5a28d72f55c6e8d4d80c650547266e6c9aa0b2a73f9253f3cc2a61010886f
282 Risk Score

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1006KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 15 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003cfe.bin rtf-objdata-decoded RTF \objdata at offset 0x3CFE 35899 bytes
SHA-256: 0c3a0c0604a83a929695d12f3bd3b60a0ba98ce3ba2df3b803ba79509dfffeaa
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_01_off0001adde.bin rtf-objdata-decoded RTF \objdata at offset 0x1ADDE 35899 bytes
SHA-256: aeda1846d61e655e0fb18ec5598be2aec90e1ba7f256c1b2404888543d575f8a
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_04_off0006007e.bin rtf-objdata-decoded RTF \objdata at offset 0x6007E 35899 bytes
SHA-256: 75eb3af4911a4d03fea068e3f45c9f97ac73d92e1bf2eedffa10412f959fcd4e
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_05_off00077fab.bin rtf-objdata-decoded RTF \objdata at offset 0x77FAB 35899 bytes
SHA-256: 2b0fdf59429672860d9129b9d1e0b710e08843345f3bf07428bee314063dd60a
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_06_off0008efe2.bin rtf-objdata-decoded RTF \objdata at offset 0x8EFE2 35899 bytes
SHA-256: 87adf6b625aa17299b0b6dddbe7526c823b415685e52f561946e00cf3376945b
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_07_off000a6120.bin rtf-objdata-decoded RTF \objdata at offset 0xA6120 35899 bytes
SHA-256: 47cb382e0be54dc11f5589849834e1ef1c0328551063a812d565f63f01c766ae
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_08_off000bd25e.bin rtf-objdata-decoded RTF \objdata at offset 0xBD25E 35899 bytes
SHA-256: 9b22544f4b830790418f8e51af71925858fe3ecba8a7b8274884f2f915941082
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_09_off000d439c.bin rtf-objdata-decoded RTF \objdata at offset 0xD439C 35899 bytes
SHA-256: 29cf4e597c7b8e436670a5a46a6a197b8ea050f1a4ab90b15df20a3647f6ace4
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_10_off000eb4e1.bin rtf-objdata-decoded RTF \objdata at offset 0xEB4E1 35899 bytes
SHA-256: 6a00eb25ff88abd7c6b34aff4c935fe6ede5292722332870ed4be30cf754dd7a
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_11_off0010261f.bin rtf-objdata-decoded RTF \objdata at offset 0x10261F 35899 bytes
SHA-256: 0d5b7cfb1c46cac14b42aa20bb0a0c05b04641376a00a7af4b36694ccea9145c
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_12_off0011975d.bin rtf-objdata-decoded RTF \objdata at offset 0x11975D 35899 bytes
SHA-256: d902f30c21dbe8cb7ca5a4804d470987da2ca0c58847911ea6461aff20ebb06f
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_13_off0013089b.bin rtf-objdata-decoded RTF \objdata at offset 0x13089B 35899 bytes
SHA-256: 51d7561f1eae4d98ce0873893fa2c22e5b166d335313543ddd351cfce1e2de86
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_14_off001479d9.bin rtf-objdata-decoded RTF \objdata at offset 0x1479D9 35899 bytes
SHA-256: 0d41d6d5ef1a67d1cfbf783c64481479817ea5ac09117529280bf365f6ec6f63
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely