Malicious RTF — malware analysis report

Static analysis result for SHA-256 63926865aca8405b…

MALICIOUS

RTF

832.0 KB Created: 2018-02-24 17:17:00 First seen: 2021-02-23
MD5: 235aee2f7652fd5eb853846963058256 SHA-1: 069e99088f3b48d867bffbc557967a26b44d52ed SHA-256: 63926865aca8405b8a0679939a29553c816e4f94bafe592b956114c2b9157e7d
202 Risk Score

Heuristics 5

  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cc3.bin rtf-objdata-decoded RTF \objdata at offset 0x2CC3 27707 bytes
SHA-256: ebbe0a352503d0f04598ccb365226b5f74318fc2cc627c8ef9a571db9ff5a9ad
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off0001680d.bin rtf-objdata-decoded RTF \objdata at offset 0x1680D 27707 bytes
SHA-256: 2115979e4d1f8b089d1d344c2c4731e614857fd7839316a5200c9bbb7a2d385c
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_02_off0002a4de.bin rtf-objdata-decoded RTF \objdata at offset 0x2A4DE 27707 bytes
SHA-256: 4fecc7028d3049714da19b9c2690a35643bd9a88520fe36f25fb921196188831
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_03_off0003e1ad.bin rtf-objdata-decoded RTF \objdata at offset 0x3E1AD 27707 bytes
SHA-256: 5712f34f4dd8e470e9965806e8943f1333a816de26b961c2deafcfaab5a9d28b
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_04_off00051e7c.bin rtf-objdata-decoded RTF \objdata at offset 0x51E7C 27707 bytes
SHA-256: 61424701e9db1659e3d554e1eecdb31ff892914094741031564901b9afa34048
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_05_off00065b73.bin rtf-objdata-decoded RTF \objdata at offset 0x65B73 27707 bytes
SHA-256: a76ee20cc9ce154e2bd577db4740775f4c685c28fca9fb6def45b6f67ac47b92
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_06_off00079636.bin rtf-objdata-decoded RTF \objdata at offset 0x79636 27707 bytes
SHA-256: 65102f94e4a3d3449135d56144ed20686af7b479728e0cf9d835f4ec06f32c9d
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_07_off0008d305.bin rtf-objdata-decoded RTF \objdata at offset 0x8D305 27707 bytes
SHA-256: 4d621109b6f74f1a9fba4e39c8d508e7ef94d38c0da338fb76fd21ae8269f89f
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_08_off000a0fd4.bin rtf-objdata-decoded RTF \objdata at offset 0xA0FD4 27707 bytes
SHA-256: 5be308f2e32c380a89285b384ecbeed9d807c81617e6a7cd881263ba8c8e02a7
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_09_off000b4ca3.bin rtf-objdata-decoded RTF \objdata at offset 0xB4CA3 27707 bytes
SHA-256: c933adf1097ce84db90b8dab5630685fed2b291834410951da794c9ae437df9b
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely