Malicious RTF — malware analysis report

Static analysis result for SHA-256 75cdc1076248cbde…

MALICIOUS

RTF

846.8 KB Created: 2018-05-29 18:04:00 First seen: 2021-02-23
MD5: 8c7c8cec90f4e9afdec9358c5d5d7881 SHA-1: b2ddb4f030d2f85cee0a0822daf36cc548717b17 SHA-256: 75cdc1076248cbdea6f507821f5f41da2e212714659a53315522f09c707acbdd
122 Risk Score

Heuristics 5

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000030df.bin rtf-objdata-decoded RTF \objdata at offset 0x30DF 26683 bytes
SHA-256: fefdf8e795054d8c7f98553977f0a974d1b3d413e3935adaaa123cc7d82d286f
objdata_01_off00015884.bin rtf-objdata-decoded RTF \objdata at offset 0x15884 26683 bytes
SHA-256: 1d0e6bd6da78719a9a822616f4e768dfc4d271dabbdc4c6504c8a4e0970d941f
objdata_02_off00028130.bin rtf-objdata-decoded RTF \objdata at offset 0x28130 26683 bytes
SHA-256: 6ebd10bff66352d589b54c0d7f51f04ed5b16a5cf437a93f4a6b7572e363cbda
objdata_03_off0003a9dc.bin rtf-objdata-decoded RTF \objdata at offset 0x3A9DC 26683 bytes
SHA-256: 2265dcf5d57d93f7de254087f2c04d3a9e2ad5252197135a0fea09eb546b8a11
objdata_04_off0004d288.bin rtf-objdata-decoded RTF \objdata at offset 0x4D288 26683 bytes
SHA-256: 8f893732c02a81dc3c2a39bd7def7683b916b45e8dfab7df78a335d067c21aad
objdata_05_off0005fb3b.bin rtf-objdata-decoded RTF \objdata at offset 0x5FB3B 26683 bytes
SHA-256: 54524d89e743aafbb6ca2027698ac3fd5c1395890af46b9f4393c83315c762bd
objdata_06_off000723e7.bin rtf-objdata-decoded RTF \objdata at offset 0x723E7 26683 bytes
SHA-256: 10cc77b7bd2343b6bbf490626a61db43687a5727c7a64b1c81869fa2c17179e6
objdata_07_off00084c93.bin rtf-objdata-decoded RTF \objdata at offset 0x84C93 26683 bytes
SHA-256: b1002cdbd8f71535d0bd1294cbf96e76408e8f24a3746f91447f62171eb97179
objdata_08_off0009753f.bin rtf-objdata-decoded RTF \objdata at offset 0x9753F 26683 bytes
SHA-256: d28090db243a81764d77699e4eb305e0a49cf248cd01fa88508f08c725aab0a0
objdata_09_off000a9deb.bin rtf-objdata-decoded RTF \objdata at offset 0xA9DEB 26683 bytes
SHA-256: c514128de85c837ce912665fe9e20d23df24821ef19626d40db135fdf4d80d2a

Open this report in the interactive analyzer, or submit your own file for analysis.