Malicious RTF — malware analysis report

Static analysis result for SHA-256 d22f5370b5a37077…

MALICIOUS

RTF

192.0 KB Created: 2018-07-13 13:05:00 First seen: 2021-02-23
MD5: 7e30b1f6350256a7cbc819965546268e SHA-1: 82f9c831e83fa590d777fd45446be0197f0af311 SHA-256: d22f5370b5a37077ab7408271ed6e6ab76f85bf8f630ed317e599ef1d58ea5a3
242 Risk Score

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003c28.bin rtf-objdata-decoded RTF \objdata at offset 0x3C28 24635 bytes
SHA-256: f9b900f097c748320dcd2a6332d4cd77bea7f277bfb44d8515a1a0d1c41c1f3a
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_01_off0001546a.bin rtf-objdata-decoded RTF \objdata at offset 0x1546A 24635 bytes
SHA-256: 589b5d144bd9f2431d9e08ffe71d09056c0ff62194ffbe40cd831f13908145b1
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_02_off00026cac.bin rtf-objdata-decoded RTF \objdata at offset 0x26CAC 18707 bytes
SHA-256: 17db9c404a750be23768a299452eb68412e6bd594259c5710ee2500db561938f