Malicious RTF — malware analysis report

Static analysis result for SHA-256 cf13ab9407f79003…

MALICIOUS

RTF

993.6 KB Created: 2018-06-19 11:56:00 First seen: 2021-02-23
MD5: c39d3d9490064547d93131f11eceb8ec SHA-1: e8d82e12dc9ed33ea7849990fb3cbb8024cd0c03 SHA-256: cf13ab9407f790032339163897878fe2e6272757a598ee3474f34351fd6ad1b2
242 Risk Score

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003da2.bin rtf-objdata-decoded RTF \objdata at offset 0x3DA2 35899 bytes
SHA-256: 40bbb8f12edbadcecac678e9bf76962e85bf768891e5d49a5102e7aea2890784
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_01_off0001aed3.bin rtf-objdata-decoded RTF \objdata at offset 0x1AED3 35899 bytes
SHA-256: 35b342b69b6f9890ae95b75f70066bc84a41e572ccd503f1efbe83264675ef7e
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_02_off00032004.bin rtf-objdata-decoded RTF \objdata at offset 0x32004 35899 bytes
SHA-256: d88577a6391b96d64bc214423a083c74c169dbc22dc4c888fd70140b84a97ae9
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_03_off00049135.bin rtf-objdata-decoded RTF \objdata at offset 0x49135 35899 bytes
SHA-256: 10945e45b573c99069ccd597678e1e6843404fe136b14875f18de308c29e0b07
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_04_off00060266.bin rtf-objdata-decoded RTF \objdata at offset 0x60266 35899 bytes
SHA-256: 3f10e5743cacd72b4932e42cfcd8fc9464cbfc09e84141a5bbba9b503fbda1a9
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_05_off0007c1a1.bin rtf-objdata-decoded RTF \objdata at offset 0x7C1A1 35899 bytes
SHA-256: 040c54ac66e565b744261e4394bbae3d5cf21bd2999ca5f4cdd8e1e72be7fa50
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_06_off000931eb.bin rtf-objdata-decoded RTF \objdata at offset 0x931EB 35899 bytes
SHA-256: 0a73661038583fdc0b7bdbb584ba6ddbf3bee3a2b1b8666119c1613c85bb0c84
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_07_off000aa33c.bin rtf-objdata-decoded RTF \objdata at offset 0xAA33C 35899 bytes
SHA-256: 54e126d43f6e0bba3ad66adbaddeba16ea8a23af1e51c4587626d411bc9897f8
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_08_off000c148d.bin rtf-objdata-decoded RTF \objdata at offset 0xC148D 35899 bytes
SHA-256: e9f83f7fd8bcb543d30fe9aa5f6714b90349361bc1d6f3bcfc1205f3b70db1b2
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_09_off000d85de.bin rtf-objdata-decoded RTF \objdata at offset 0xD85DE 35899 bytes
SHA-256: ff14912a443887fca810fcc340caa3991f5409330ea162b6bd2b667c50291970
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely