Malicious RTF — malware analysis report

Static analysis result for SHA-256 958f865ea8f7c623…

MALICIOUS

RTF

812.5 KB Created: 2018-03-27 23:39:00 First seen: 2021-02-23
MD5: da26631dd7033e893de18c8d38ecf40e SHA-1: f0daabf9803616703004346a928b24f7ccc695f9 SHA-256: 958f865ea8f7c6232abeadc88a743db0485e45c1737039204edcddb45b890070
202 Risk Score

Heuristics 5

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cb6.bin rtf-objdata-decoded RTF \objdata at offset 0x2CB6 26683 bytes
SHA-256: c774409e95f5e7e149459a85c54f01cdcc768fcc5727bb3f252a380ec3e4c6cf
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00016164.bin rtf-objdata-decoded RTF \objdata at offset 0x16164 26683 bytes
SHA-256: d4150b97b13cd97361dd255276870b989c9a6f254b2aea3fed82e0a208c2d6c3
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00029612.bin rtf-objdata-decoded RTF \objdata at offset 0x29612 26683 bytes
SHA-256: 1d7b2a4c8727a8fbbda08f0e19945ce35633c17b6467c27ebba3991fbfa21814
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off0003cac0.bin rtf-objdata-decoded RTF \objdata at offset 0x3CAC0 26683 bytes
SHA-256: 40a529c50a034933c752b96b669b887bd328ae4a36baecbff36d5f2c4a2eacd6
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off0004ff6e.bin rtf-objdata-decoded RTF \objdata at offset 0x4FF6E 26683 bytes
SHA-256: ae6bf803af0bd4c49578fd63279c5dd5525178f16dde18a00f7c8a2efe9cb1cf
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00063466.bin rtf-objdata-decoded RTF \objdata at offset 0x63466 26683 bytes
SHA-256: d271a03e98010add5182401484c5d2e646df656867583960d7bd4c3a6e5226c0
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off00076914.bin rtf-objdata-decoded RTF \objdata at offset 0x76914 26683 bytes
SHA-256: 3e97a428934e28dcf29786a555faff26436b3e88e2f3aff4945abe6cc5885678
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off00089dc2.bin rtf-objdata-decoded RTF \objdata at offset 0x89DC2 26683 bytes
SHA-256: 9c0d82e23bd99794d6c3048ae43f2df3cd3a9a8b0ae93b0bc3fdfc391c0f3415
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off0009d270.bin rtf-objdata-decoded RTF \objdata at offset 0x9D270 26683 bytes
SHA-256: d795ef76e6619e464f9b8cb46c92da8436e089250d89f37f10f865ec6581ed86
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off000b071e.bin rtf-objdata-decoded RTF \objdata at offset 0xB071E 26683 bytes
SHA-256: 80b09b21658053a43a93f30b0c9fdf68270616a41b3d569f9ac421c0e74d34fe
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely