Malicious RTF — malware analysis report

Static analysis result for SHA-256 54473a66b4cd0bf9…

MALICIOUS

RTF

965.3 KB Created: 2018-04-16 First seen: 2021-02-23
MD5: 586b4ae29cd383773d854e2a6cbea88b SHA-1: 13b8d6f7a45131e75f2dbad04f5a2f484d69fc08 SHA-256: 54473a66b4cd0bf9b79170654d2d33fb4169d405692dda044a7f4d4662f62ac2
82 Risk Score

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 12 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c45.bin rtf-objdata-decoded RTF \objdata at offset 0x2C45 27195 bytes
SHA-256: f33b137ee6e142881022dbf01fc20ce523d25ecfd4be76acb46f349e6fcb3f10
objdata_01_off00016074.bin rtf-objdata-decoded RTF \objdata at offset 0x16074 27195 bytes
SHA-256: 15583cb7e3ab1999ae6b190ad67a80038fd93e6265a2b490fa579dddb5e1b392
objdata_02_off000294a3.bin rtf-objdata-decoded RTF \objdata at offset 0x294A3 27195 bytes
SHA-256: 1ba3235c1babbe066f735ba1ef27c990c7df3f3b27f20a10af1da2b87d285cc8
objdata_03_off0003c8d2.bin rtf-objdata-decoded RTF \objdata at offset 0x3C8D2 27195 bytes
SHA-256: 12242aec7e24a5ac9ec865301a26018a00571b236dff31e169342a751da76308
objdata_04_off0004fd01.bin rtf-objdata-decoded RTF \objdata at offset 0x4FD01 27195 bytes
SHA-256: d006037e4f3846bcd99b13d2620f52992dce26e0c42b78efd69ac2f6a391b09d
objdata_05_off00063130.bin rtf-objdata-decoded RTF \objdata at offset 0x63130 27195 bytes
SHA-256: 41fbf96be8029fde13f2879800d58857d3825ee8208a2d02c74748c9f74e9d5b
objdata_06_off000765ab.bin rtf-objdata-decoded RTF \objdata at offset 0x765AB 27195 bytes
SHA-256: e67ddc9563c866d68d905d8ea139cc8d301c7e75979db66069c1bd12c7006ea0
objdata_07_off000899da.bin rtf-objdata-decoded RTF \objdata at offset 0x899DA 27195 bytes
SHA-256: 7666c403105235b3c02117661b30c2ab546a9cf122f4e45c97989b2384ea5163
objdata_08_off0009ce09.bin rtf-objdata-decoded RTF \objdata at offset 0x9CE09 27195 bytes
SHA-256: e057c45297f3df03def3669eded219badec0c4b90b0a6e06bb83e2cbd33ff876
objdata_09_off000b0238.bin rtf-objdata-decoded RTF \objdata at offset 0xB0238 27195 bytes
SHA-256: 776023aabd7636ea9f52e2bcf7e7ba8e4eeab8021643d7fe964fc8b83bad8f7a
objdata_10_off000c3667.bin rtf-objdata-decoded RTF \objdata at offset 0xC3667 27195 bytes
SHA-256: 29e2f710590523b5f2fbfa70e1cc2e2068df891b5714b827545211ccf46e43d2
objdata_11_off000d6a96.bin rtf-objdata-decoded RTF \objdata at offset 0xD6A96 27195 bytes
SHA-256: 5fc365294b73f4623a2df14a6c0a5f169311b4331bbb3aff64408da0b0153ab2

Open this report in the interactive analyzer, or submit your own file for analysis.