Malicious RTF — malware analysis report

Static analysis result for SHA-256 fd99913f0ed491d0…

MALICIOUS

RTF

965.2 KB Created: 2018-04-16 01:07:00 First seen: 2021-02-23
MD5: 6cb5088c2fc1a67d009bb2c1b8f4f1a4 SHA-1: c86b5b493a46d3e293c7d79845c82a11d9fea9cb SHA-256: fd99913f0ed491d0345bd21390809023f00dec56eacc0fd03e22d5c71e8caac9
82 Risk Score

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 12 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c44.bin rtf-objdata-decoded RTF \objdata at offset 0x2C44 27195 bytes
SHA-256: b76045a38306d2abd4462cfe15e64dd5840f68bdb379bd401c36f541384f9e8e
objdata_01_off0001606d.bin rtf-objdata-decoded RTF \objdata at offset 0x1606D 27195 bytes
SHA-256: 72e2060337f954c1e41a2c7bd3c04798352e4f06aa9e3a2582ebbff1bbc8ec4e
objdata_02_off00029496.bin rtf-objdata-decoded RTF \objdata at offset 0x29496 27195 bytes
SHA-256: c5e901a466802d394493a6920b1582d372c04a75463f28f0dd267bbfd104f465
objdata_03_off0003c8bf.bin rtf-objdata-decoded RTF \objdata at offset 0x3C8BF 27195 bytes
SHA-256: d3a4825e6bdd34f7b3adee0c7d05c22a01f6e547b2335085c019894b60973c43
objdata_04_off0004fce8.bin rtf-objdata-decoded RTF \objdata at offset 0x4FCE8 27195 bytes
SHA-256: e83ec510ac99f7469cc8325754d87a09e0338696e8014c9525b839ad683f15e9
objdata_05_off00063111.bin rtf-objdata-decoded RTF \objdata at offset 0x63111 27195 bytes
SHA-256: 695aae75f95e803c2221293325647906b4749bcca9d7b2fc6634984d6ae53192
objdata_06_off00076584.bin rtf-objdata-decoded RTF \objdata at offset 0x76584 27195 bytes
SHA-256: 9edecb705e347877c5652c8552a4c5d0dd1ddb233352765ddd99746f729359e8
objdata_07_off000899ad.bin rtf-objdata-decoded RTF \objdata at offset 0x899AD 27195 bytes
SHA-256: e1bdc27450ca256b9d312f0e2d0e27f53cfca54ba86832ec886fe15e55dea8f1
objdata_08_off0009cdd6.bin rtf-objdata-decoded RTF \objdata at offset 0x9CDD6 27195 bytes
SHA-256: fdb367e1c97727c8d3a19e358e834ede2373e2482abb56b21f130a4c6bf6b1a8
objdata_09_off000b01ff.bin rtf-objdata-decoded RTF \objdata at offset 0xB01FF 27195 bytes
SHA-256: 15ad099aeee863d6c90f7c60c0f1b1f3fba78a2debd52c6a52c7689d0b2eca72
objdata_10_off000c3628.bin rtf-objdata-decoded RTF \objdata at offset 0xC3628 27195 bytes
SHA-256: b87c8ee760246aa5aeb4455e7d4ef402cca9b7d69803dbf12626e3ac73b5d6ee
objdata_11_off000d6a51.bin rtf-objdata-decoded RTF \objdata at offset 0xD6A51 27195 bytes
SHA-256: f9de20c05f4907462b7961d796d38ee604b1e2612b78cafe8f55da44754a9a29

Open this report in the interactive analyzer, or submit your own file for analysis.