Malicious RTF — malware analysis report

Static analysis result for SHA-256 5c674a64fa21a9e9…

MALICIOUS

RTF

737.2 KB Created: 2018-05-02 20:31:00 First seen: 2021-02-23
MD5: 98137e4099fedc556be4e087a6d77b1f SHA-1: 2469575e81312cff06df668fcf3606ab7914c83a SHA-256: 5c674a64fa21a9e966370b677960fd1d6eab6fc52cf108dcdefaec2b245513ee
202 Risk Score

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c1b.bin rtf-objdata-decoded RTF \objdata at offset 0x2C1B 24123 bytes
SHA-256: ee645ef1d5fb7ea52b7aac594d8753582c6ac1d91beb8f89e61d6c1e5217baf9
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off000142a5.bin rtf-objdata-decoded RTF \objdata at offset 0x142A5 24123 bytes
SHA-256: a28f9e8db2c9d2787ded4998fee442be364c5683a5a0f6f20305943f8b9b00f3
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002592f.bin rtf-objdata-decoded RTF \objdata at offset 0x2592F 24123 bytes
SHA-256: 4092b105329f1c8351210ebd3f2838480838b488d56703218faad470327a8131
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00036fb9.bin rtf-objdata-decoded RTF \objdata at offset 0x36FB9 24123 bytes
SHA-256: 37ee2245c971d8f77865e32e2123677f63dac3a86417e7243006ee9499a3d615
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off00048643.bin rtf-objdata-decoded RTF \objdata at offset 0x48643 24123 bytes
SHA-256: e90eff4bc6d32b465c234f622670c352b5115a139a102ac6dab41b1eae148740
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off00059d19.bin rtf-objdata-decoded RTF \objdata at offset 0x59D19 24123 bytes
SHA-256: d38d364a27222813bf14759bc04a12d08ad7d9528266871f887561255e40abbc
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0006b3a3.bin rtf-objdata-decoded RTF \objdata at offset 0x6B3A3 24123 bytes
SHA-256: 9708f1b8f1b6489eb5e4076e3ffd47468c8b6e057ae98af269d5e6bfd0f6589a
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0007ca2d.bin rtf-objdata-decoded RTF \objdata at offset 0x7CA2D 24123 bytes
SHA-256: 17a0a08c0423105c364671e422fb59872a2ffc7285c0c54068da43b7e93fd76f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_08_off0008e0b7.bin rtf-objdata-decoded RTF \objdata at offset 0x8E0B7 24123 bytes
SHA-256: 1d31792a05b0d5447026c678d28c38374112eed9a60e4deefeee7e8ad902dfff
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_09_off0009f741.bin rtf-objdata-decoded RTF \objdata at offset 0x9F741 24123 bytes
SHA-256: cae1c855bcb836e03abacad44a9d3fb3ac2bd2fbb9476d1aec5b563272564b23
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.