Malicious RTF — malware analysis report

Static analysis result for SHA-256 888f9c76d26cdfa7…

MALICIOUS

RTF

665.3 KB Created: 2017-10-30 10:49:00 First seen: 2021-02-23
MD5: 21f7c85b255dfb717cbc235d616f6e33 SHA-1: 0557cb0cf51bfad1d7e55786e394756a2883f4b0 SHA-256: 888f9c76d26cdfa7340779a015d95785253cf14a1a850fe79ec64a6a24b1deac
202 Risk Score

Heuristics 5

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a8d.bin rtf-objdata-decoded RTF \objdata at offset 0x2A8D 20545 bytes
SHA-256: c0887b7fec10b6bbd0b2eebed7dcf1ea4af6122b5559e4085f566e09df6a9acc
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00012496.bin rtf-objdata-decoded RTF \objdata at offset 0x12496 20545 bytes
SHA-256: 284aa6d30b691946fd0ccb737327496e5d6cb241d99b12c8710598990e32112c
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00021ea1.bin rtf-objdata-decoded RTF \objdata at offset 0x21EA1 20545 bytes
SHA-256: e779f2a374685d444c9cb83b11aa1fa48b742856eee4da515048dc1980931af0
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000318ac.bin rtf-objdata-decoded RTF \objdata at offset 0x318AC 20545 bytes
SHA-256: 45124deaad80b9d9568468f172f1e8e44f4ab64751c1863f22e395ddb2dd6630
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off000412b7.bin rtf-objdata-decoded RTF \objdata at offset 0x412B7 20545 bytes
SHA-256: 6ee7569003263b955a3f1e4b1ae0f5db407053dc55ccfdcd65953b2bafc87926
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00050cc2.bin rtf-objdata-decoded RTF \objdata at offset 0x50CC2 20545 bytes
SHA-256: b1221c280fb81c6dfe370c34a7bd76bfb122d87acdcfa01d97af3265fafa4369
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off000606cd.bin rtf-objdata-decoded RTF \objdata at offset 0x606CD 20545 bytes
SHA-256: b8614d7d022a15ad3f88f001c013f89b7ad66b63168de5a7e98fbee2c980e632
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off000700d8.bin rtf-objdata-decoded RTF \objdata at offset 0x700D8 20545 bytes
SHA-256: a96a953dd6156944e8e250fb08f4833558035d6e116ff4c24d199e9d5e3c10c3
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off0007fae3.bin rtf-objdata-decoded RTF \objdata at offset 0x7FAE3 20545 bytes
SHA-256: c5a5a545937d89744d698399fff72fe904babff49cdc4bd2d3134b74a003e75d
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off0008f4ee.bin rtf-objdata-decoded RTF \objdata at offset 0x8F4EE 20545 bytes
SHA-256: f23eb083c954942fa2131e350b1a27c0daa7504a013c105ca3fc0060275384bb
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely