RTF malware analysis — malicious · 5809076ea5d97fac

MALICIOUS

RTF

201.9 KB Created: 2015-11-17 15:29:00 First seen: 2020-12-25

MD5: 296c956fe429cedd1b64b78e66797122 SHA-1: ff1ecd429853ee0e33f7cdfa9624a2015a40e715 SHA-256: 5809076ea5d97facb9cffabd2b44ea4f8de1af8a0c2c2df3807cb3a82ef99508

62 Risk Score

Heuristics 3

URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED

RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2003/wordml}{ In RTF body
- http://www.adobe.com/2006/flex/mx/internalIn RTF body
- http://adobe.com/AS3/2006/builtinIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000b249.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xB249	6902 bytes
SHA-256: `8543cf311d74d80ab3fd876d407e30805f5fec4d960ecc40a94db15def1b79f6`

Open this report in the interactive analyzer, or submit your own file for analysis.