Malicious RTF — malware analysis report

Static analysis result for SHA-256 5062a698879870e7…

MALICIOUS

RTF

665.3 KB Created: 2017-10-30 11:15:00 First seen: 2021-02-23
MD5: 543839a6a0f6addfc168ea99b60d9c2e SHA-1: 672974b56a24163909602450899fee0b2a55c044 SHA-256: 5062a698879870e73250973e45cadcaade05a314f4f17fb17f14f82007bd6b1b
202 Risk Score

Heuristics 5

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a8a.bin rtf-objdata-decoded RTF \objdata at offset 0x2A8A 20545 bytes
SHA-256: 4bacbf8e2de8e9596320809e850180749c2753a5a53c3808378f39c7069a5924
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00012491.bin rtf-objdata-decoded RTF \objdata at offset 0x12491 20545 bytes
SHA-256: d482bf9d91dfb9b23c16563d3b540b0eee3218b04449fec656622725c15358c2
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00021e9a.bin rtf-objdata-decoded RTF \objdata at offset 0x21E9A 20545 bytes
SHA-256: bf75c21ee78ce1e1a058438a2385e3337601af479f806c66150cfacdccfc658c
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000318a3.bin rtf-objdata-decoded RTF \objdata at offset 0x318A3 20545 bytes
SHA-256: f7be4f1f6e0840b9fe511097a5ad42fa4f3fecbf8cc889d62168b0b70802afb0
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off000412ac.bin rtf-objdata-decoded RTF \objdata at offset 0x412AC 20545 bytes
SHA-256: 00f7ff52a6a9f26611d1b55172bd8f8017134cb5ce80c4e0e3c908fb80fc36b9
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00050cb5.bin rtf-objdata-decoded RTF \objdata at offset 0x50CB5 20545 bytes
SHA-256: fb4167791b1fc126340029fab98ce03c3b8ea0273de67e2c4e0794e2182e740d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off000606be.bin rtf-objdata-decoded RTF \objdata at offset 0x606BE 20545 bytes
SHA-256: e374a5e70264b5287f5254234d06d75b89864478bc3e7cd51bbd0c6db5de905d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off000700c7.bin rtf-objdata-decoded RTF \objdata at offset 0x700C7 20545 bytes
SHA-256: df5487099d6b80ff0d849af6c43dd34e38946e1900725ec4e5a7e3f5c83a5883
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off0007fad0.bin rtf-objdata-decoded RTF \objdata at offset 0x7FAD0 20545 bytes
SHA-256: db7d6f594b453295ab578e053ce1f68da93d48b9f735c3df1009050d24fb5497
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off0008f4d9.bin rtf-objdata-decoded RTF \objdata at offset 0x8F4D9 20545 bytes
SHA-256: ec7e45090579df1fd699a48a6a6a65a2939ef6e4ab64b73435611450b7aa19d4
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely