Malicious RTF — malware analysis report

Static analysis result for SHA-256 5df14265d5ce37ae…

MALICIOUS

RTF

675.4 KB Created: 2017-11-02 10:23:00 First seen: 2021-02-23
MD5: fbb3fc47485df08ffbce8ee5cd9642ce SHA-1: 879fcac7bc24e8a688ef21d6789e1ca69ffc4fde SHA-256: 5df14265d5ce37ae0dc0dcb332c42b7331cdc305fc1b265b767bb96d6e6d93cf
202 Risk Score

Heuristics 5

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a89.bin rtf-objdata-decoded RTF \objdata at offset 0x2A89 21057 bytes
SHA-256: 8fd465ce1db5445ec232f607544098235c1c3e2e81c80f4a51c9b53c9128667d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00012898.bin rtf-objdata-decoded RTF \objdata at offset 0x12898 21057 bytes
SHA-256: 4288d372a34d9e97276ff893ad7e462fc41e2a267bf519e69234d96a9d496a60
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off000226a9.bin rtf-objdata-decoded RTF \objdata at offset 0x226A9 21057 bytes
SHA-256: c69184a48b07c99a2af3215899130a19e3ddc81e0312c8b1a7f26d300667cdf7
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000324ba.bin rtf-objdata-decoded RTF \objdata at offset 0x324BA 21057 bytes
SHA-256: 6f2752996b37062d669ffea7191ce7aba5fba15384acef95d6b799f9b11fcfb3
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off000422cb.bin rtf-objdata-decoded RTF \objdata at offset 0x422CB 21057 bytes
SHA-256: 816a01d8f3025cbdf1c6d09a195dd80b228970cceac2fdd52991730f673ecfc8
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off000520dc.bin rtf-objdata-decoded RTF \objdata at offset 0x520DC 21057 bytes
SHA-256: b9a6693223d99dba9e9985378ec20e07f1658675986cc9da70b8cb4305d13bc6
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00061eed.bin rtf-objdata-decoded RTF \objdata at offset 0x61EED 21057 bytes
SHA-256: 4fb8eda4218c7f810f243a7d9620b035f91d65027a321327d25ae55d83c4bb8e
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off00071cfe.bin rtf-objdata-decoded RTF \objdata at offset 0x71CFE 21057 bytes
SHA-256: a7cfc6882b97e668d1dc5e91fa5c649005ff2035df8f785b9041e46f0dd051ea
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off00081b0f.bin rtf-objdata-decoded RTF \objdata at offset 0x81B0F 21057 bytes
SHA-256: 82f68eaf6b102e41b7882330397aa9e7ce3ce6b605373edcb22b510c1c81eeab
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off00091920.bin rtf-objdata-decoded RTF \objdata at offset 0x91920 21057 bytes
SHA-256: 3a722f9d1076e657e140bebeb72850f1ff932926528ca643ffe75ce8086caba9
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.