Malicious RTF — malware analysis report

Static analysis result for SHA-256 50a6a2af404f6036…

MALICIOUS

RTF

1.63 MB Created: 2018-01-15 01:39:00 First seen: 2021-02-23
MD5: 16a10fd99d0fcd39b66e4ae04aed69f2 SHA-1: 5d14e8a1233a056b3b7b3e75245d00ba1af111eb SHA-256: 50a6a2af404f6036777c1cab0ce6425371cbed1f0190d4e17cb5a6c7174321b5
242 Risk Score

Heuristics 6

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1643KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000035fa.bin rtf-objdata-decoded RTF \objdata at offset 0x35FA 22593 bytes
SHA-256: dc606e1534d9061ee37468a3e787304eccabf0829de64fe289f1b22a2dbeb88c
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00014045.bin rtf-objdata-decoded RTF \objdata at offset 0x14045 22593 bytes
SHA-256: 9906d337898215967e8a2e55cd2a1ad619bc2b945270efe70b9018ce12dd67a0
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00024a90.bin rtf-objdata-decoded RTF \objdata at offset 0x24A90 22593 bytes
SHA-256: fb324832525065dabba2083b8447706cf9f355cb802ebc5142342a2ff666a372
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000354db.bin rtf-objdata-decoded RTF \objdata at offset 0x354DB 22593 bytes
SHA-256: 2350fc803639cd9597775a3d8744e65687481964b213b818d964aa1f2fc954a1
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off00045f26.bin rtf-objdata-decoded RTF \objdata at offset 0x45F26 22593 bytes
SHA-256: b8702189993b0ff8a0e221281b606ff4a76f045202683bc368467a6e100fdf9d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00056971.bin rtf-objdata-decoded RTF \objdata at offset 0x56971 22593 bytes
SHA-256: 95e1c3de652b55607b55e9cbf0a7f9900e5f2f1f298bc10f81e18e8a36ff5875
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off000673bc.bin rtf-objdata-decoded RTF \objdata at offset 0x673BC 22593 bytes
SHA-256: 1d3753b39909ba31cfce1f21f2a71c0f9a5b7e7028e3c5e87ff436e9f9445388
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off00077e07.bin rtf-objdata-decoded RTF \objdata at offset 0x77E07 22593 bytes
SHA-256: d9d32fdb883656fb3929849b8af001039ac8c0f56fb5f72ed13bb7c5e93f325d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off00088852.bin rtf-objdata-decoded RTF \objdata at offset 0x88852 22593 bytes
SHA-256: 2c0bc9653b8d1d4cb198139622c8ac2ab97d8ae2f105eb42d44bb2fa1d70a4c1
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off0009929d.bin rtf-objdata-decoded RTF \objdata at offset 0x9929D 22593 bytes
SHA-256: 83f64cb22887ed7c77603f74353f622eb7538876763f819c9bdba6b1bca4fd0e
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely