Malicious RTF — malware analysis report

Static analysis result for SHA-256 ba96da48b50d8222…

MALICIOUS

RTF

961.2 KB Created: 2018-06-19 11:21:00 First seen: 2021-02-23
MD5: 567ed0ebe516fda3aa569c7ba063bb29 SHA-1: 9fa85467394881bc043d3e07a538094a0e19da30 SHA-256: ba96da48b50d8222f22425cb5a734ea6524532e897e6c12e36a839a3c9b7d44f
242 Risk Score

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003d12.bin rtf-objdata-decoded RTF \objdata at offset 0x3D12 35899 bytes
SHA-256: 6199b178554022b792f606a757d45a725082e7c0de310d63fc96a6b3358b5ef9
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_01_off0001ae08.bin rtf-objdata-decoded RTF \objdata at offset 0x1AE08 35899 bytes
SHA-256: 192e891fc24b243cf4d2830f15785cc4cf4be56ad65c1179cca0ffd3a1859f30
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_02_off00031efe.bin rtf-objdata-decoded RTF \objdata at offset 0x31EFE 35899 bytes
SHA-256: 998e7d2fb5acf35d5a1da7f170825d880661dccbec86def1f5bea3aea0e56f25
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_03_off00048ff4.bin rtf-objdata-decoded RTF \objdata at offset 0x48FF4 35899 bytes
SHA-256: 2cdf0b13a2a3c4c7172ed2cd87ff4c944bdf988a2e438b856bb43d13027747fb
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_04_off000600ea.bin rtf-objdata-decoded RTF \objdata at offset 0x600EA 35899 bytes
SHA-256: 1df4b625ce3872daebbc8ca3981e27e30755875656e6d6c4c20e65098fabe8e7
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_05_off00077ff0.bin rtf-objdata-decoded RTF \objdata at offset 0x77FF0 35899 bytes
SHA-256: 726fd2e01e97aba2e98f5b9bf35c7bd71a39d1b1b6904eb691fd656be4ec3afd
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_06_off0008f104.bin rtf-objdata-decoded RTF \objdata at offset 0x8F104 35899 bytes
SHA-256: 3943f6395b9492e4256f765c7e38586a2952899217b79e784f579a142dcf17d0
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_07_off000a621a.bin rtf-objdata-decoded RTF \objdata at offset 0xA621A 35899 bytes
SHA-256: 7577de71709df4cf25fb7f4d7c7c58125b4e464c0e19281c98f25df6c7cc5725
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_08_off000bd330.bin rtf-objdata-decoded RTF \objdata at offset 0xBD330 35899 bytes
SHA-256: bfc2f09b9110d32d013e73dbe13d8a061126d0b92c528c551680136edb8685e7
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_09_off000d4446.bin rtf-objdata-decoded RTF \objdata at offset 0xD4446 35899 bytes
SHA-256: 5173dd845bf42a892fd10eea19e15fb7eeb7d6187f9d051fd24142bdcd37057b
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely