Malicious RTF — malware analysis report

Static analysis result for SHA-256 f770c29a134510e3…

MALICIOUS

RTF

1022.5 KB Created: 2018-06-01 14:25:00 First seen: 2021-02-23
MD5: d32a536db15f0b711422c643c83b1d2c SHA-1: 500c033742d613a3e8bdc487878013a05c7a03d3 SHA-256: f770c29a134510e34ce05da0c030664562a48419d1d69cb8e4db2c99978e180c
242 Risk Score

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003d2a.bin rtf-objdata-decoded RTF \objdata at offset 0x3D2A 35899 bytes
SHA-256: 7f20f9bd39ee939bb40ebde988fb52665938fd1c9201639ef802b1805477111e
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_01_off0001ae48.bin rtf-objdata-decoded RTF \objdata at offset 0x1AE48 35899 bytes
SHA-256: 362e8d1c99afbec0e5389b27148692719713b8c225cb0f35c40b611292a31086
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_02_off00031f66.bin rtf-objdata-decoded RTF \objdata at offset 0x31F66 35899 bytes
SHA-256: 68fc7f22cf63062954bd20651e5e9966a965716b39f810887d69c09a9ef5886e
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_03_off00049084.bin rtf-objdata-decoded RTF \objdata at offset 0x49084 35899 bytes
SHA-256: 9acaa5726ffa511dc40704822415ddd02f74d557ba4b6a0ca396a9e83ff044fc
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_04_off000601a2.bin rtf-objdata-decoded RTF \objdata at offset 0x601A2 35899 bytes
SHA-256: cd109ca8cf9702e1730c3ab77763db80edef0bb0ee18dbd672423a620be19ca3
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_05_off000772c7.bin rtf-objdata-decoded RTF \objdata at offset 0x772C7 35899 bytes
SHA-256: 0bfbb6bd240ae766f2bad003cd9ce3a648e723c4e47ae0083ea61394788aa0b8
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_06_off0008e3e5.bin rtf-objdata-decoded RTF \objdata at offset 0x8E3E5 35899 bytes
SHA-256: 60df28a0b21a4819bd2a1d9381b382a8bfb9cda0f40b1e49ddc2230a6e18b401
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_07_off000a5503.bin rtf-objdata-decoded RTF \objdata at offset 0xA5503 35899 bytes
SHA-256: 77249ecb0a12beae21962538aaf91eb8296935f6c8d9c54fa8ebf7a3253329c4
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_08_off000bc621.bin rtf-objdata-decoded RTF \objdata at offset 0xBC621 35899 bytes
SHA-256: 2d4aee2b5ed708090f14ec6be7735bfbbefb2b546445a0ed249e27a55fb3af52
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_09_off000d373f.bin rtf-objdata-decoded RTF \objdata at offset 0xD373F 35899 bytes
SHA-256: c1ae3e0230e9b52f30322f1b5c9cc16bedf7bd3569114d4eb10fc30253617376
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely