Malicious RTF — malware analysis report

Static analysis result for SHA-256 660a6197a032cd2b…

MALICIOUS

RTF

675.4 KB Created: 2017-11-02 10:29:00 First seen: 2021-02-23
MD5: fcb10363739516602ffdb6416d8370fd SHA-1: b013bd126beb5cb471fdae46f21af623014fbe7b SHA-256: 660a6197a032cd2baf35df713575f16b71ebdcda67b89deb1afc45f2b986490a
202 Risk Score

Heuristics 5

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a8c.bin rtf-objdata-decoded RTF \objdata at offset 0x2A8C 21057 bytes
SHA-256: 51112f0e7299e703e674921b99212eb9e6674e323e14ee9d2308664e6af65c4e
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off0001289d.bin rtf-objdata-decoded RTF \objdata at offset 0x1289D 21057 bytes
SHA-256: 3bdcfa99e755d493ef2fc994923176e0b00ace59ad76bca4c7db40520ea441cc
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off000226b0.bin rtf-objdata-decoded RTF \objdata at offset 0x226B0 21057 bytes
SHA-256: 7b9bc2578ecab5266f288a057061c2befa456f993aa1bb38d3bd94b2e81f8dc9
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000324c3.bin rtf-objdata-decoded RTF \objdata at offset 0x324C3 21057 bytes
SHA-256: bb43f5f4d83716a3585602b40b97d30d151523e2ea8fcf37a15f18e0104e22e5
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off000422d6.bin rtf-objdata-decoded RTF \objdata at offset 0x422D6 21057 bytes
SHA-256: c4a7f6f56f2fa221e9e637a2ced167067a50af00d1899d14d2fa379475dc6958
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off000520e9.bin rtf-objdata-decoded RTF \objdata at offset 0x520E9 21057 bytes
SHA-256: cda3ea11bcd1fca7c24e3a205e15db6c53ca747dc052dc5a8a3271462da416b7
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00061efc.bin rtf-objdata-decoded RTF \objdata at offset 0x61EFC 21057 bytes
SHA-256: cb8c56055c0161de30bb756740036e31bca50ab09b9d17b2889df01f47406b20
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off00071d0f.bin rtf-objdata-decoded RTF \objdata at offset 0x71D0F 21057 bytes
SHA-256: 13367971b0c3529bbdd09d87add44098a0e6afee225d2f5b96623121de309cfa
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off00081b22.bin rtf-objdata-decoded RTF \objdata at offset 0x81B22 21057 bytes
SHA-256: be7c72907cbe24125bb2bc3d823cc82c05a2a0fa78d464cd8f5dd550fba6fc06
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off00091935.bin rtf-objdata-decoded RTF \objdata at offset 0x91935 21057 bytes
SHA-256: 0b214a5a9b55c9d99b72b18501d9e0300c17985c4ba1daf08ac935590e756ccb
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.