Malicious RTF — malware analysis report

Static analysis result for SHA-256 5a234b3e389a22b7…

MALICIOUS

RTF

665.3 KB Created: 2017-10-30 10:46:00 First seen: 2021-02-23
MD5: 633c197f7a59d065523d49e819051ef0 SHA-1: ef77e29a78692fa9ea2e11c7b07e42de83b66e5c SHA-256: 5a234b3e389a22b70da242b1c93d65f358d60f1347b03101f7613fa1db032645
202 Risk Score

Heuristics 5

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a8a.bin rtf-objdata-decoded RTF \objdata at offset 0x2A8A 20545 bytes
SHA-256: 62f218ae2d4d5056e784ac88ddb6457c539def4cdbf77198f8b8bc2315203320
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00012491.bin rtf-objdata-decoded RTF \objdata at offset 0x12491 20545 bytes
SHA-256: 2518ffc86f88223db71a10a23bcf96d10df547bff2b7ade792cf93b62a6e3089
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00021e9a.bin rtf-objdata-decoded RTF \objdata at offset 0x21E9A 20545 bytes
SHA-256: 7d935c631ae4b2a23e93041832d2f327f90d3fb5a62ae56d7ea47b317475df6e
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000318a3.bin rtf-objdata-decoded RTF \objdata at offset 0x318A3 20545 bytes
SHA-256: 1bb966b78b7b3100c44e5c4b8ec4619b8f5ad94e6a8654bdea50bf693cab9bc4
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off000412ac.bin rtf-objdata-decoded RTF \objdata at offset 0x412AC 20545 bytes
SHA-256: 1807af47c75ced5a3fee0de83868d45039b5791ad219fbb79441ae2ee63dc00e
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00050cb5.bin rtf-objdata-decoded RTF \objdata at offset 0x50CB5 20545 bytes
SHA-256: 0d40b37d66a60d58f2a3c2fe05f83e98413c4dc298de871544eef1c3fe54713b
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off000606be.bin rtf-objdata-decoded RTF \objdata at offset 0x606BE 20545 bytes
SHA-256: 5dabbc707cd253f516bbab520be90613eb561b810ba1ae02dbfab9144800f378
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off000700c7.bin rtf-objdata-decoded RTF \objdata at offset 0x700C7 20545 bytes
SHA-256: 88a6c857a6e018c08445a2a72b590a13d83821871a465a1df0eb3786625809e2
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off0007fad0.bin rtf-objdata-decoded RTF \objdata at offset 0x7FAD0 20545 bytes
SHA-256: bf2f858c64afad37914400d54b51d2d8e8696329e6badae6b63ed2772b416c57
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off0008f4d9.bin rtf-objdata-decoded RTF \objdata at offset 0x8F4D9 20545 bytes
SHA-256: 5a5ac2526a9d5c5786789e5aab65427ea62cb336eb12455867e2b99bc6b066f1
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely