Malicious RTF — malware analysis report

Static analysis result for SHA-256 e48e453c0ee566ae…

MALICIOUS

RTF

977.3 KB Created: 2018-04-16 01:16:00 First seen: 2021-02-23
MD5: 24823a0b6d9e48e4234efd027161c0dd SHA-1: 951a626874dc8fd7eb28b05fced3681e81bc88b0 SHA-256: e48e453c0ee566aebfc5491602d69a28d9f2c0ea1947dd664484a8fcd1249d9e
82 Risk Score

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 12 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c47.bin rtf-objdata-decoded RTF \objdata at offset 0x2C47 27707 bytes
SHA-256: 0a7eca08a2c01dd75f6d457bf40cf219e240e8c21210cf682b95bc350805c848
objdata_01_off00016478.bin rtf-objdata-decoded RTF \objdata at offset 0x16478 27707 bytes
SHA-256: a7cd1502217c84840d9ef23b33c266d5937b5053718d235065ec6021a338aa56
objdata_02_off00029ca9.bin rtf-objdata-decoded RTF \objdata at offset 0x29CA9 27707 bytes
SHA-256: 50bbdcd5b398c2f565158f298756f7f69d832bf175a140d7bda7634069e1b7cb
objdata_03_off0003d4da.bin rtf-objdata-decoded RTF \objdata at offset 0x3D4DA 27707 bytes
SHA-256: 71a29301511570efb11a1df6ad166796f1b034b842a0d0704c305aa6e1ff147b
objdata_04_off00050d0b.bin rtf-objdata-decoded RTF \objdata at offset 0x50D0B 27707 bytes
SHA-256: cdfe987945eefe0df5c7334907580ca27e57dba51a569b112dc091fe829e4944
objdata_05_off0006453c.bin rtf-objdata-decoded RTF \objdata at offset 0x6453C 27707 bytes
SHA-256: beaa76a95ba78edf67e178e1c3b52261528b6c65b617409c61967e34a1db3849
objdata_06_off00077db7.bin rtf-objdata-decoded RTF \objdata at offset 0x77DB7 27707 bytes
SHA-256: 1456358bd55faed54fed51f459caf890b3aaffc691eab63bb00a95c40841903b
objdata_07_off0008b5e8.bin rtf-objdata-decoded RTF \objdata at offset 0x8B5E8 27707 bytes
SHA-256: b2dd492d4347ec9306e952e6f0af97e7f5a20ce7868b87c3c0979061c51b65f7
objdata_08_off0009ee19.bin rtf-objdata-decoded RTF \objdata at offset 0x9EE19 27707 bytes
SHA-256: 7c1abafd363d5e8d0e93bc8f0e917ceae18ef37046f9736c65cf74c4706db473
objdata_09_off000b264a.bin rtf-objdata-decoded RTF \objdata at offset 0xB264A 27707 bytes
SHA-256: 5714fc7e9b1fdd0a6bb56f421993bad37e9d8d4b8478c5043b67d73843bff4bb
objdata_10_off000c5e7b.bin rtf-objdata-decoded RTF \objdata at offset 0xC5E7B 27707 bytes
SHA-256: 46a8f2cd9cf48e0be8548d8e126cb76ca4ae9fedf19b5c13d4e3a3d7c932dac9
objdata_11_off000d96ac.bin rtf-objdata-decoded RTF \objdata at offset 0xD96AC 27707 bytes
SHA-256: 68408ba97c8d5361739e2fa680bba0e1062620648283ede1205432b59d6d6fe3

Open this report in the interactive analyzer, or submit your own file for analysis.