Malicious RTF — malware analysis report

Static analysis result for SHA-256 cc6e2af726af692a…

MALICIOUS

RTF

827.6 KB Created: 2018-02-15 08:50:00 First seen: 2021-02-23
MD5: 078024bf070634295c4e9d43ebc68d63 SHA-1: 44756e08841eb0afffd2afb8e3681359c060574c SHA-256: cc6e2af726af692a9364185c0854b2560e899d8d9fd4b54d514d2df7d2676cd4
202 Risk Score

Heuristics 5

  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cc1.bin rtf-objdata-decoded RTF \objdata at offset 0x2CC1 27707 bytes
SHA-256: 09b15ca7057f1cb71021a99753adc149104341a8ea7ace1f0bcd425774aa0421
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off000167f3.bin rtf-objdata-decoded RTF \objdata at offset 0x167F3 27707 bytes
SHA-256: 23911fcf920633170d8f195be5bf753cfc690e393b48489a006f369a862953ef
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_02_off0002a295.bin rtf-objdata-decoded RTF \objdata at offset 0x2A295 27707 bytes
SHA-256: cb2bc933ad3ed4e3fbb252b240436241a356205cf4b9da330c03f25f25105728
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_03_off0003dd35.bin rtf-objdata-decoded RTF \objdata at offset 0x3DD35 27707 bytes
SHA-256: 4de81cca1d184574fdc0708f1bcd13d262d4c88547c2ca9facfb101389fa7be4
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_04_off000517d5.bin rtf-objdata-decoded RTF \objdata at offset 0x517D5 27707 bytes
SHA-256: 84dd08ffdf2bff7313353621715168c02aa74347a4036f7b2409ce78c0dc2d1d
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_05_off00065275.bin rtf-objdata-decoded RTF \objdata at offset 0x65275 27707 bytes
SHA-256: 8c2e66a2d9136f9151bd33c53efffdb176589814927f9c221438663ae99dc2cb
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_06_off00078d20.bin rtf-objdata-decoded RTF \objdata at offset 0x78D20 27707 bytes
SHA-256: cd59c02c6b26ae1c7b40a831646b46df619c9e83b83f968259266009b7c4b675
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_07_off0008c7c0.bin rtf-objdata-decoded RTF \objdata at offset 0x8C7C0 27707 bytes
SHA-256: 2e64875d35b8314f7b30466eaf0ff39d2e27bc9dccea7872c3652465adde16f6
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_08_off000a0260.bin rtf-objdata-decoded RTF \objdata at offset 0xA0260 27707 bytes
SHA-256: 30ce4b2f50e0a4fe3c5fca609271d8f07d003db917b354b2a84011e15c2afa39
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_09_off000b3d00.bin rtf-objdata-decoded RTF \objdata at offset 0xB3D00 27707 bytes
SHA-256: 01a1e97185859b76fd15c4beb70b376618f9333906a5ade667deb86d6b611fd0
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.