RTF malware analysis — malicious · 7d3757683e4286f5

MALICIOUS

RTF

184.6 KB Created: 2018-05-07 First seen: 2021-02-23

MD5: afddb94f9c8a0c06025234c89a927b27 SHA-1: 3c1d034660ca0f411097553a535f635f7772ff8d SHA-256: 7d3757683e4286f5afa057315557a494d6d7dd2c07acd312bf6db7d6531ed018

202 Risk Score

Heuristics 5

ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002c0c.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2C0C	33339 bytes
SHA-256: `24ef5c4529992bfc204bab22a0f1e39f70514963a7c436ab56fe008c8417ec31`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`objdata_01_off00018b24.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x18B24	33339 bytes
SHA-256: `98c5ad5b4401507508646a44d2e8add2e21740ee576fdafa84938d1153f7dae3`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.