Malicious RTF — malware analysis report

Static analysis result for SHA-256 b983cf80d8dc5c66…

MALICIOUS

RTF

522.4 KB Created: 2018-04-29 08:06:00 First seen: 2021-02-23
MD5: e70ba7bd4b4da8ab5044edd698e43c68 SHA-1: 97a46bf9be2257956a4f6a15a2c400e089b667f8 SHA-256: b983cf80d8dc5c66d79f6ed27236d1e44fe05edd3f5943bae6d96de0a726b25a
242 Risk Score

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000291d.bin rtf-objdata-decoded RTF \objdata at offset 0x291D 25147 bytes
SHA-256: 67d9f7ccca6b56f3a381cff5b6ed1010eaf6b20a207f9520a158de76f63a8378
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00014508.bin rtf-objdata-decoded RTF \objdata at offset 0x14508 25147 bytes
SHA-256: 41546d8d317d957647ff55847414c50f114368d65cd9248c320f4f862215ce5c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002616f.bin rtf-objdata-decoded RTF \objdata at offset 0x2616F 25147 bytes
SHA-256: 1411db758d97c07c817305710c7539f19d341087583bf2a06bc7510ede3c57e5
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00037dd8.bin rtf-objdata-decoded RTF \objdata at offset 0x37DD8 25147 bytes
SHA-256: 0b5080ff4b5247bf8e808400351811b2af225036c5dc9173dcdcf060f092230f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off00049a41.bin rtf-objdata-decoded RTF \objdata at offset 0x49A41 25147 bytes
SHA-256: 8292d1ff2325d14d4880efcd330dd3a92d00ee1abf39f79a73f7f9b4dbf5b9ba
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off0005b6aa.bin rtf-objdata-decoded RTF \objdata at offset 0x5B6AA 25147 bytes
SHA-256: 23fc37b0799dfa945a98db5c442f0ae4efc2c1bdd5fc3647b379d55a88bffa30
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off0006d313.bin rtf-objdata-decoded RTF \objdata at offset 0x6D313 25147 bytes
SHA-256: 38520b8f3acd2665f887214efeeae12d51bdbae62991deb7d62a9882d21d403f
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0007ef7c.bin rtf-objdata-decoded RTF \objdata at offset 0x7EF7C 7375 bytes
SHA-256: 66bfdd4f787db9dc5140cd95d35cd659684f9f87dd8d0d9b7b97887ebea809f8

Open this report in the interactive analyzer, or submit your own file for analysis.