RTF malware analysis — malicious · baf33a62fe368f09

MALICIOUS

RTF

1012.9 KB Created: 2018-06-19 11:58:00 First seen: 2021-02-23

MD5: 7e0adc3bf2a44d793a6f5d7ab55be54c SHA-1: fc23ddab0ba1d9967e3a9da886d776acc1441503 SHA-256: baf33a62fe368f098253f4c69764f47bbd94bc406d16ada2ec0417671bdfb351

242 Risk Score

Heuristics 6

Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED

RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 10 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00003d34.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3D34	35899 bytes
SHA-256: `06bd7d0cdda0c469f444745ba6fdbc56c363edb3724d9d03bc50f5888ddc1fc2`
Detection ClamAV: Xls.Malware.Generic-6834349-0 Obfuscation or payload: unlikely
`objdata_01_off0001ae65.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x1AE65	35899 bytes
SHA-256: `2a569a5056e11c5a70ab8a066d0d667e693d09c90f5d4c7d44037865f473dfb6`
Detection ClamAV: Xls.Malware.Generic-6834349-0 Obfuscation or payload: unlikely
`objdata_02_off00031f96.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x31F96	35899 bytes
SHA-256: `4197a913864768aa63024dc555dd25b6314e2df640d1f73946dc68c86c019816`
Detection ClamAV: Xls.Malware.Generic-6834349-0 Obfuscation or payload: unlikely
`objdata_03_off000490c7.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x490C7	35899 bytes
SHA-256: `eac97b468daef4fcd3587371d15f83f70706270180d44e12ac128f97378c88f6`
Detection ClamAV: Xls.Malware.Generic-6834349-0 Obfuscation or payload: unlikely
`objdata_04_off000601f8.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x601F8	35899 bytes
SHA-256: `92a8fda459f1201e203a8b2b2a748b693f4ffe1a5945b536fae270a6c96edd43`
Detection ClamAV: Xls.Malware.Generic-6834349-0 Obfuscation or payload: unlikely
`objdata_05_off0007e7e2.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x7E7E2	35899 bytes
SHA-256: `9c076a967dbaff70abc49f977ab24c2610959b5501ea89ca3be00a08c3095d90`
Detection ClamAV: Xls.Malware.Generic-6834349-0 Obfuscation or payload: unlikely
`objdata_06_off0009582c.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x9582C	35899 bytes
SHA-256: `6d703d4737bae33a559fe4328f28b0ce4a87baa9155fa8e9a3cbc5d26e5f1ec9`
Detection ClamAV: Xls.Malware.Generic-6834349-0 Obfuscation or payload: unlikely
`objdata_07_off000ac97d.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xAC97D	35899 bytes
SHA-256: `2e28228fd507213c7e9e7a956be61c36473c0d91fed136fba122d682ac49fb14`
Detection ClamAV: Xls.Malware.Generic-6834349-0 Obfuscation or payload: unlikely
`objdata_08_off000c3ace.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xC3ACE	35899 bytes
SHA-256: `6cbadfce9960f58de4f7fd133dede78170308eb9048dcf21d56ca509a5ffa5fa`
Detection ClamAV: Xls.Malware.Generic-6834349-0 Obfuscation or payload: unlikely
`objdata_09_off000dac1f.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xDAC1F	35899 bytes
SHA-256: `4e4716ad67e6a4dd9ac27b05c46be97191233b91336c4599d4ccfd6df0bcec57`
Detection ClamAV: Xls.Malware.Generic-6834349-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.