Malicious RTF — malware analysis report

Static analysis result for SHA-256 5260738928d77fc0…

MALICIOUS

RTF

1.62 MB Created: 2018-01-21 02:23:00 First seen: 2021-02-23
MD5: c7be25d5f74eec1e6a9cf25f4ca9b782 SHA-1: 1ddc0b5970295eefb0100f554aa07a4f0dee32ad SHA-256: 5260738928d77fc03dd2e25716998629347bc4b09a1aca36e5d9a0a020f896c2
242 Risk Score

Heuristics 6

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1633KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000035ef.bin rtf-objdata-decoded RTF \objdata at offset 0x35EF 22081 bytes
SHA-256: b8a27324f86090cb70cd480f703a426380c0e2e2d21374c7b7e06eae788756ed
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00013c32.bin rtf-objdata-decoded RTF \objdata at offset 0x13C32 22081 bytes
SHA-256: 8c19c7b5ffa52d11661bbbdc38be9fb98ffe9ad805ba0046ff2dc70762863618
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00024275.bin rtf-objdata-decoded RTF \objdata at offset 0x24275 22081 bytes
SHA-256: 42fc314aa201a86ed2f1c61130b4cf63be0b46a53219007bafcb4fd11cd7b5c6
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000348b8.bin rtf-objdata-decoded RTF \objdata at offset 0x348B8 22081 bytes
SHA-256: 25ede90b2c0c054428867d6aee4c7761e38659047b919cbc24ce26a2940ea4a8
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off00044efb.bin rtf-objdata-decoded RTF \objdata at offset 0x44EFB 22081 bytes
SHA-256: 0b8abad4e63e1d7b132585728507cd190c9515042ddf8724e03e65feed15456d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off0005553e.bin rtf-objdata-decoded RTF \objdata at offset 0x5553E 22081 bytes
SHA-256: 8cd5644272b13a25ea7fecc7daac69bef8aac3d9b8d355dddbc4b1662e586b7a
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00065b81.bin rtf-objdata-decoded RTF \objdata at offset 0x65B81 22081 bytes
SHA-256: a2a191049d3749c77dd335b63c3870ed3fb30258e63f2d7dc893b8a1db88168d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off000761c4.bin rtf-objdata-decoded RTF \objdata at offset 0x761C4 22081 bytes
SHA-256: f890d5220e48efa8273204a5797684b88e7a73bf878ed1ba8c60a8b354587954
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off00086807.bin rtf-objdata-decoded RTF \objdata at offset 0x86807 22081 bytes
SHA-256: a2e868995ef4e25763eee361c6493e6883ed3f77890dadb62ca73b81fc11a990
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off00096e4a.bin rtf-objdata-decoded RTF \objdata at offset 0x96E4A 22081 bytes
SHA-256: fb3f3ffe2aa243540b345d81170823c7ac5561b9221f8a95699d59f745901b08
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.