Malicious RTF — malware analysis report

Static analysis result for SHA-256 6f3a8557e2c95a71…

MALICIOUS

RTF

665.3 KB Created: 2017-10-30 11:13:00 First seen: 2021-02-23
MD5: 95f99d56a855cc512949de89564ab528 SHA-1: 84f1c68a05d7acc4d46546c055a1fa61147e704b SHA-256: 6f3a8557e2c95a717cb48080042293045011e74f2a4c79aaeffbfcc86456eb37
202 Risk Score

Heuristics 5

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a8b.bin rtf-objdata-decoded RTF \objdata at offset 0x2A8B 20545 bytes
SHA-256: 7fc90a8b7558372e82cd3b956e2efde2edae2e78f655c8c3f728a729544a4466
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00012492.bin rtf-objdata-decoded RTF \objdata at offset 0x12492 20545 bytes
SHA-256: 05e444397d9a6ca2e0d90b9b2d0a7f580316cee37a0498d493a8665975b6f8fa
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00021e9b.bin rtf-objdata-decoded RTF \objdata at offset 0x21E9B 20545 bytes
SHA-256: 5459e5d41f0c085ef1d98ef1535daeb97b255e6d6f86b0db46e4b4dcb2da2932
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000318a4.bin rtf-objdata-decoded RTF \objdata at offset 0x318A4 20545 bytes
SHA-256: 23982db1c559df91ad1d7875b775d997a32add7303528d5df2b99f24e0715c3d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off000412ad.bin rtf-objdata-decoded RTF \objdata at offset 0x412AD 20545 bytes
SHA-256: 72e0e83b1d18fac506214eb05062d3e53388629b2e6006133ce04a1f7913f8dd
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00050cb6.bin rtf-objdata-decoded RTF \objdata at offset 0x50CB6 20545 bytes
SHA-256: 7e7c9ab2ac0990ab3c3dc2a37d6a2b026414ac66d840287a2e2c7dbf04d0cab5
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off000606bf.bin rtf-objdata-decoded RTF \objdata at offset 0x606BF 20545 bytes
SHA-256: f7ecb18de9481e741bca4aa15ba604d91e618ab2c1cc1c598b08fec2af708ad0
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off000700c8.bin rtf-objdata-decoded RTF \objdata at offset 0x700C8 20545 bytes
SHA-256: f7f34e1434b65e861fcaf38186db7f4287e4f488ac1d3e91babb50363c6ba491
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off0007fad1.bin rtf-objdata-decoded RTF \objdata at offset 0x7FAD1 20545 bytes
SHA-256: 63083b16019af78b09e417294a4eca2e9d646f91598e5583f55a8a7ba815e2f0
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off0008f4da.bin rtf-objdata-decoded RTF \objdata at offset 0x8F4DA 20545 bytes
SHA-256: 2b326ec9229a830a1d93e114b5b7c4919929d2e226a3d9618a97a67a66163d3f
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely