Malicious RTF — malware analysis report

Static analysis result for SHA-256 5d1f558443675a63…

MALICIOUS

RTF

607.7 KB Created: 2021-01-11 23:50:00 First seen: 2021-01-23
MD5: bb1cc4ed1d3ea35305a48dfa0259208c SHA-1: e8e7d770c7904ba086f9cf101f472bf2a12e9e0e SHA-256: 5d1f558443675a63f631fc567571c9bce3d83bf71e978aa7f4067df9a08a2f0c
222 Risk Score

Heuristics 7

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002b9c.bin rtf-objdata-decoded RTF \objdata at offset 0x2B9C 120062 bytes
SHA-256: 3636774a71ad5bdd315b3a95890956fe1cb4852354ff6cf3b2cdf634167341fc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_CMD, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: ExitProcess, GetProcAddress, CreateProcessW Static shellcode analysis recovered command string(s): cmd.exe
objdata_01_off000456fd.bin rtf-objdata-decoded RTF \objdata at offset 0x456FD 140004 bytes
SHA-256: 6c2ea5fbcc78e30242938356e9a1c508a22ba437fed453b1cd086f5610d34b2a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_SHELLEXEC, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, wininet.dll, shell32.dll, KERNEL32.DLL, InternetOpenA, InternetOpenUrlA
objdata_02_off00091f89.bin rtf-objdata-decoded RTF \objdata at offset 0x91F89 1067 bytes
SHA-256: 4d156803ed5857f02df55a28b26eac6818a445d7ffa32e4cfa95cafd6290a12e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, NOP sled

Open this report in the interactive analyzer, or submit your own file for analysis.