Malicious RTF — malware analysis report

Static analysis result for SHA-256 ec35b57f7c88b3ab…

MALICIOUS

RTF

454.6 KB Created: 2018-04-24 08:49:00 First seen: 2021-02-23
MD5: b724154e473059c87c778e8bc7fb5555 SHA-1: d4e70868623eb94636900a7fd7051210a8e863ea SHA-256: ec35b57f7c88b3ab45b3ec7f0fa80fa6fb783b40fef4df4611253756d160f8fa
244 Risk Score

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 6 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002922.bin rtf-objdata-decoded RTF \objdata at offset 0x2922 29243 bytes
SHA-256: c257c78e7ff811a43604fab025f63b5a5463ff191faaeec3c9db0e5f2c3d5934
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00016554.bin rtf-objdata-decoded RTF \objdata at offset 0x16554 29243 bytes
SHA-256: 1085e0d3098dd193e85ff57b39b45430fc555a19740f67cb675f37fd607e9575
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off0002a201.bin rtf-objdata-decoded RTF \objdata at offset 0x2A201 29243 bytes
SHA-256: bf89ab97e0e490f26060e2c21bf36dc0052bef7a84feda41ba2fb91e1ff0ea59
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off0003deb0.bin rtf-objdata-decoded RTF \objdata at offset 0x3DEB0 29243 bytes
SHA-256: 114464d12b688901f0376e37b3749ab975f2b0230d00f966ca0f3ac3436d8fe7
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off00051b5f.bin rtf-objdata-decoded RTF \objdata at offset 0x51B5F 29243 bytes
SHA-256: 7fe98213b127e414080a9ade3dee891b1c0e8f8fe6aee48eda4fd837b520a676
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off0006580e.bin rtf-objdata-decoded RTF \objdata at offset 0x6580E 24666 bytes
SHA-256: af163c91ad5bbac24ea7ac812ba8d247eeaffb062e78b24950be3d5e838f45f7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.