Malicious RTF — malware analysis report

Static analysis result for SHA-256 ec72ea03eab225f3…

MALICIOUS

RTF

567.3 KB Created: 2018-01-28 01:10:00 First seen: 2021-02-23
MD5: c387633072d76393d722258ae2194862 SHA-1: fda581ecd2f47af64aadbaaae208bad5aa42d29c SHA-256: ec72ea03eab225f366e825d889d3cc7b1fa7c751c1549c5af59fa25bbefb570b
82 Risk Score

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002a8f.bin rtf-objdata-decoded RTF \objdata at offset 0x2A8F 15409 bytes
SHA-256: 689e288fb5a5be1b4dfb1a785015dcd1df80999a594f6f08ec8d1612f847ba27
objdata_01_off0001004c.bin rtf-objdata-decoded RTF \objdata at offset 0x1004C 15409 bytes
SHA-256: 09e455896e250f4208d93ee29e49cc3dee52c1ce24e968eb36abc79658e58765
objdata_02_off0001d2d1.bin rtf-objdata-decoded RTF \objdata at offset 0x1D2D1 15409 bytes
SHA-256: 97a69631ff0ae53bfbd2d15325fb166d9d6ba3d82ea4d6e23e2f4c245243fd38
objdata_03_off0002a556.bin rtf-objdata-decoded RTF \objdata at offset 0x2A556 15409 bytes
SHA-256: 7edf300d89f50b567d8dbb7b2ce99362ca7c91e104944bc11a8f696be1e6645f
objdata_04_off000377db.bin rtf-objdata-decoded RTF \objdata at offset 0x377DB 15409 bytes
SHA-256: 96a17cb262b11b59cb2292db098ff9070344f18f7e27bc77a06238131c37da38
objdata_05_off00044a60.bin rtf-objdata-decoded RTF \objdata at offset 0x44A60 15409 bytes
SHA-256: 581af2695179c899ae07bfe2db967f3d89633ae28720f3f28b1088b9a5e04c46
objdata_06_off00051ce5.bin rtf-objdata-decoded RTF \objdata at offset 0x51CE5 15409 bytes
SHA-256: 13545b8b9e6abecef133c17799380ad1d98c4560e6d684a1e9711999cc4b85d7
objdata_07_off0005ef6a.bin rtf-objdata-decoded RTF \objdata at offset 0x5EF6A 15409 bytes
SHA-256: dbc8828a3152d27efabe0d8f04a2e97240a0eadd9a9bba81012148f5c2b937d9
objdata_08_off0006c1ef.bin rtf-objdata-decoded RTF \objdata at offset 0x6C1EF 15409 bytes
SHA-256: 1d7c8b6aa744873754806ce19f9ccd725c335ea27071cbc84be6166d354cca3b
objdata_09_off00079470.bin rtf-objdata-decoded RTF \objdata at offset 0x79470 15409 bytes
SHA-256: a9cd7014fc5dd10f6e007539962dc30060657e247c8c779e3ded70dea069028f

Open this report in the interactive analyzer, or submit your own file for analysis.