Malicious RTF — malware analysis report

Static analysis result for SHA-256 5311426b5d34e8f4…

MALICIOUS

RTF

1.24 MB Created: 2018-04-16 First seen: 2021-02-23
MD5: fa1208b45a7c8fac37370998395c94e3 SHA-1: 04dcb06574f629eefed7baf843972e6b814ec80a SHA-256: 5311426b5d34e8f473c5c3d60b0ee8e54de8a7257e6e377f5819589d2d67d6e1
122 Risk Score

Heuristics 5

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1037KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 16 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c45.bin rtf-objdata-decoded RTF \objdata at offset 0x2C45 27195 bytes
SHA-256: ff8a3a7d79de7a3bff4ba2d0b3d92fa7e444f57adfdbe631aedeb633ea889703
objdata_01_off00016074.bin rtf-objdata-decoded RTF \objdata at offset 0x16074 27195 bytes
SHA-256: 53afd48b2f0290e26584e2e7cf10fabd31c0707ae829f4835048de2a06443728
objdata_02_off000294a3.bin rtf-objdata-decoded RTF \objdata at offset 0x294A3 27195 bytes
SHA-256: aa93e15e8346d52fb43414a9477c8cfe804dcfb920e4e64776f51b6d5bdf1d6c
objdata_03_off0003c8d2.bin rtf-objdata-decoded RTF \objdata at offset 0x3C8D2 27195 bytes
SHA-256: 2eea89e24d17191258841c72b7cb6a287a257d7f22298661df647329b2656a7d
objdata_04_off0004fd01.bin rtf-objdata-decoded RTF \objdata at offset 0x4FD01 27195 bytes
SHA-256: 7a168ffb1ab8a7a66278644a785707520299a3bcb46c020f32bc7ad17a227e3a
objdata_05_off00063130.bin rtf-objdata-decoded RTF \objdata at offset 0x63130 27195 bytes
SHA-256: 0311a0181d8bd9be86a713dad0997b8596d3025616b46b03a806a16e7ef50cb8
objdata_06_off0007655f.bin rtf-objdata-decoded RTF \objdata at offset 0x7655F 27195 bytes
SHA-256: 3a341affbe8c24fb12fd32e35c87a85ee0ba698292a7e0fa93e7a59fa3881e4c
objdata_07_off0008998e.bin rtf-objdata-decoded RTF \objdata at offset 0x8998E 27195 bytes
SHA-256: 1b5357e35a132032d7c88532a1455744624939c16b40ada4361becda55c1cc6b
objdata_08_off0009cdbd.bin rtf-objdata-decoded RTF \objdata at offset 0x9CDBD 27195 bytes
SHA-256: 15f1e0357b7ce11cab85e8a8d152d652ff6b4144005be4d933a1070b39b6a4c3
objdata_09_off000b01ec.bin rtf-objdata-decoded RTF \objdata at offset 0xB01EC 27195 bytes
SHA-256: 2201bd4014666ee2552fc0c694b90ce7d20b64ff46e6414ed1ec1d8e80b9e941
objdata_10_off000c361b.bin rtf-objdata-decoded RTF \objdata at offset 0xC361B 27195 bytes
SHA-256: ea4c20d315da1a12ea72239f149e87977cbcc4571a7c020b100ce39e1207441f
objdata_11_off000d6a4a.bin rtf-objdata-decoded RTF \objdata at offset 0xD6A4A 27195 bytes
SHA-256: b178cc139edf301bb745d3e94f4db794df21b1b1b67ae38b7f9ff382a8ee572e
objdata_12_off000e9e79.bin rtf-objdata-decoded RTF \objdata at offset 0xE9E79 27195 bytes
SHA-256: 2556fc94d6ecd5b3f25c35b4b402b21ccc31e71b580f7430776a2ad6bc096b63
objdata_13_off000fd2a8.bin rtf-objdata-decoded RTF \objdata at offset 0xFD2A8 27195 bytes
SHA-256: 87aa68619a36a5a0edbd705befcaf234c3899d00f524e9deb8a2498e5f7fd3fc
objdata_14_off001106d7.bin rtf-objdata-decoded RTF \objdata at offset 0x1106D7 27195 bytes
SHA-256: 781aa9a3fe29acce8521ce72bff5526b245fcca0a8473717c0e5b50f3e81b25c
objdata_15_off00123b06.bin rtf-objdata-decoded RTF \objdata at offset 0x123B06 27195 bytes
SHA-256: 6d22f5491f50d8ef098b83e2065b1e0d7ceb6369a84d300b299ac960a88d1950

Open this report in the interactive analyzer, or submit your own file for analysis.