Malicious RTF — malware analysis report

Static analysis result for SHA-256 7317a0234591d7a7…

MALICIOUS

RTF

128.8 KB First seen: 2012-07-06
MD5: c34ad19a60a76e311cec5cf6b93c3929 SHA-1: ce4781879888ffbaad887586df3301ef287e6165 SHA-256: 7317a0234591d7a73b10c1441d955c3b24934268b545731f845c8552b64b1e78
62 Risk Score

Heuristics 2

  • XOR-encoded strings (key 0xBC) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xBC: 'msvcrt.dll', 'msvcrt.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'CreateFileA', 'CreateFileA', 'CreateFileA'
    Disassembly hidden — these bytes score as data, not coherent x86 code (no internal branches to corroborate control flow).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In RTF body