Malicious RTF — malware analysis report

Static analysis result for SHA-256 b47fe5a720b11a46…

MALICIOUS

RTF

1.63 MB Created: 2018-01-15 01:22:00 First seen: 2021-02-23
MD5: d4d3ecbc804b011f776beb5d3a348c97 SHA-1: afe0fafefdc063676673153fdd7dc5508c196573 SHA-256: b47fe5a720b11a464e9780de01728fa14dcb0f9ea306fb908f9b80b1e27763af
242 Risk Score

Heuristics 6

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1643KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000035fc.bin rtf-objdata-decoded RTF \objdata at offset 0x35FC 22593 bytes
SHA-256: 13fb018941c87ae411f812d8a93a02d93fbcfc90124dc95132f24e2662f983fd
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00014047.bin rtf-objdata-decoded RTF \objdata at offset 0x14047 22593 bytes
SHA-256: 2490bd5fd143545533e2e35a6dbeee73a037195e829ba7eaccd663a493f73efc
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off00024a92.bin rtf-objdata-decoded RTF \objdata at offset 0x24A92 22593 bytes
SHA-256: c44cfda27fd624debf4cb93607290d204c3a13458e4e7e5e22b98b06cd0ca7eb
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off000354dd.bin rtf-objdata-decoded RTF \objdata at offset 0x354DD 22593 bytes
SHA-256: 93fcd77b2bbd618d116087573eef7f74d1167132afc56a3f5b17fd92bd7eee7f
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off00045f28.bin rtf-objdata-decoded RTF \objdata at offset 0x45F28 22593 bytes
SHA-256: 2a5744fcce3476b15c4b2a2f703ac47cd2b5ca29f2b914aa57c6db99b58f588a
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00056973.bin rtf-objdata-decoded RTF \objdata at offset 0x56973 22593 bytes
SHA-256: d2ad53e6d43088147719a0cbf9eec395e0809e207f5e08ad58a7724c846a967c
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off000673be.bin rtf-objdata-decoded RTF \objdata at offset 0x673BE 22593 bytes
SHA-256: 5947a0c20831364cb0b0f8bc63e3c3665d7553303022864aa32a87b2cf1dd67a
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off00077e09.bin rtf-objdata-decoded RTF \objdata at offset 0x77E09 22593 bytes
SHA-256: bfc0a33a330764715fe7c105486531a05d02c03bce022cee685d7e51dbf4fda5
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off00088854.bin rtf-objdata-decoded RTF \objdata at offset 0x88854 22593 bytes
SHA-256: d8011e7dabeaa5eb998264bf31e1152c56eeb3d862e3a663a3be4fd15f986489
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off0009929f.bin rtf-objdata-decoded RTF \objdata at offset 0x9929F 22593 bytes
SHA-256: 148d08cef213b9eb164aec59562e6d86b4e7bf0f1e78cd931b76a7540b24e6d2
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.