Create Interactive Tour

Windows Analysis Report
SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf

Overview

General Information

Sample Name:	SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf
Analysis ID:	1266649
MD5:	f0a7729bda6a95e7a0d9c1b6804e7e9f
SHA1:	aed6edb5380af3864621231846548bf2bb6c0762
SHA256:	7962acb951893a7f53511cba33f4cca6d8fa3da3a7e7a622d148827687327dca
Tags:	CVE-2017-11882rtf
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara signature match

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 7156 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x4a72:$obj2: \objdata 0x4a5e:$obj3: \objupdate 0x4a39:$obj5: \objautlink

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• System Summary
• Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf	ReversingLabs: Detection: 36%
Source: SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf	Virustotal: Detection: 50%			Perma Link

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf, type: SAMPLE

Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing") Rom the yellow bar ' aboveASSIGNMENTMCS 473: MARKETING MANAGEMENT & STRATEGYSTUDEN
Source: Screenshot number: 8	Screenshot OCR: Enable editing") Rom the yellow bar ' aboveASSIGNMENTMCS 473: MARKETING MANAGEMENT & STRATEGYSTUDEN
Source: Screenshot number: 12	Screenshot OCR: Enable editing") Rom the yellow bar ' aboveASSIGNMENTMCS 473: MARKETING MANAGEMENT & STRATEGYSTUDEN

Source: SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf, type: SAMPLE

Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: ~WRF{4F04F7D1-0E50-4E05-8738-87B3D1BDF273}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf	ReversingLabs: Detection: 36%
Source: SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf	Virustotal: Detection: 50%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{7250A7AA-F75F-46BB-97A7-D246248E22E6} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal72.winRTF@1/8@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: ~WRF{4F04F7D1-0E50-4E05-8738-87B3D1BDF273}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf	37%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf	51%	Virustotal		Browse
SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf	100%	Avira	HEUR/Rtf.Malformed

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1266649
Start date and time:	2023-07-04 15:42:44 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf
Detection:	MAL
Classification:	mal72.winRTF@1/8@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .rtf

Warnings

Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.6010265186054569
Encrypted:	false
SSDEEP:	48:rYPDOTNQcx5T5NEWpa28O51LPuVSqaQAs0b:cPDOzPAzU96S1
MD5:	B76C0AB5D4328935859FD1682D5C7A2F
SHA1:	C3979FD05BD1C58C4C73DE8BCF91F76C9FEFCCCD
SHA-256:	E831E648630A0F9F991E2F9A68E8CE7F5A184C9F05256383E3CC8760A8A91AD1
SHA-512:	A587AAF8DB0E45434B78A7B8DA691908F3D61FD71470169D2591152D2EDB359DBE1D1EAA7A5DE3061038CAF3D7B479FBAF7FA74653A75A5297DB42563876C313
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{8F556852-06A4-40C8-B592-8CEA3514E0B6}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	3.560716336298844
Encrypted:	false
SSDEEP:	768:Ws0SCWiMuz1rqAyLt+eqViz9yCFcEhZVsfYxLzI4MNj:+DvwxKrK2fY4j
MD5:	D662438B546409348D454061CB8A01C8
SHA1:	F1B989DBE27A5C3FE7D219032402154FCD8AA780
SHA-256:	7021570FFA7435D50C4040782DF5573657E28F7568C694261C6B34A31C180523
SHA-512:	BC11B344F35E875E0DA4B5D9061B2D5A66C0E0E24353CA8234F8469CFBD0842981643B3E268B6A3EB613EAFB53ACD0A29BADA8EC569B850F5B9E995489D0F065
Malicious:	false
Reputation:	low
Preview:	........5.3.4.7.3.6.7.1.D.o.c.u.m.e.n.t. .c.r.e.a.t.e.d. .i.n. .e.a.r.l.i.e.r. .v.e.r.s.i.o.n. .m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e. .w.o.r.d...T.o. .v.i.e.w. .o.r. .e.d.i.t. .t.h.i.s. .d.o.c.u.m.e.n.t.,. .p.l.e.a.s.e. .c.l.i.c.k. .(.".E.n.a.b.l.e. .e.d.i.t.i.n.g.".). .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e.A.S.S.I.G.N.M.E.N.T.M.C.S. .4.7.3.:. .M.A.R.K.E.T.I.N.G. .M.A.N.A.G.E.M.E.N.T. .&. .S.T.R.A.T.E.G.Y.S.T.U.D.E.N.T. .N.A.M.E.:. .F.r.a.n.k. .H.u.t.t.o.n.S.T.U.D.E.N.T. .N.o.:. .2.0.7.2.4.4.1.4.I.N.D.E.X. .N.o.:. .5.0.5.6.1.2.0.C.E.N.T.R.E.:. .G.R.E.E.N.F.I.E.L.D.S.1... .i... .G.u.e.r.i.l.l.a. .m.a.r.k.e.t.i.n.g. .s.t.r.a.t.e.g.y. .r.e.f.e.r.s. .t.o. .a. .s.u.r.p.r.i.s.i.n.g. .a.d.v.e.r.t.i.s.i.n.g. .s.t.r.a.t.e.g.y. .a.n.d. .w.i.t.h. .u.n.c.o.n.v.e.n.t.i.o.n.a.l. .i.n.t.e.r.a.c.t.i.o.n.s. .t.o. .p.r.o.m.o.t.e. .t.h.e. .p.r.o.d.u.c.t.s. .a.n.d. .s.e.r.v.i.c.e.s... .G.u.e.r.i.l.l.a. .m.a.r.k.e.t.i.n.g. .s.t.r.a.t.e.g.y. .i.s. .p.u.b.l.i.c.i.t.y. .p.r.a.c.t.i.c.e.s.,. .l.o.w.-.c.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C0876A47-8436-4438-9A92-857B2B02111B}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 12:43:28 2022, mtime=Tue Jul 4 12:43:48 2023, atime=Tue Jul 4 12:43:45 2023, length=37871, window=hide
Category:	dropped
Size (bytes):	1270
Entropy (8bit):	4.710405881392672
Encrypted:	false
SSDEEP:	24:8tP3LPNc8mOsC7XyAvbE3pleHC7BD2eLek7aB6m:8h3zNcWsCVvYHeHCnqhB6
MD5:	63468A18C0035EDD9F81A041773CD5D8
SHA1:	054CD29A363A05C2E522BEBB3D237349B6675268
SHA-256:	52A660A31881A8428F7044165364E663B0C4878A0055B82E2A711C34905C7BCB
SHA-512:	002C31D17D8D3FCA74B49F6B1918A4D92389278576836D6EE4D102F048FED8A208F49CB3C75753A9351399943FB5558705CA10FB9B9F0E563BB60044BA8AB1DF
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....%Lv...<..}....7`.}..........................5....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...Vqm....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......Upm..user.<.......N...Vqm....#J........................j.o.n.e.s.....~.1......Uqm..Desktop.h.......N...Vqm.....Y..............>.......D.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....Vwm .SECURI~1.RTF..........Uom.Vwm.........................A..S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.T.F.-.O.b.f.s.O.b.j.D.a.t...G.e.n...4.1.1.2...8.7.3.1...r.t.f.......................-.......~...........>.S......C:\Users\user\Desktop\SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf..P.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.T.F.-.O.b.f.s.O.b.j.D.a.t...G.e.n...4.1.1.2...8.7.3.1...r.t.f.........:..,.LB.)...As...`.......X.......562258...........!a..%.H

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	164
Entropy (8bit):	5.248362777601857
Encrypted:	false
SSDEEP:	3:bDuMJluscbcTahRFplMCmxWIMov8bcTahRFplMCv:bCVwTmRFplMH8wTmRFplMs
MD5:	2F3E53A31E328338EDF9FEA2E1AD8B2D
SHA1:	418DDED84AFF39E885E6949D2CE6A3C1C656A642
SHA-256:	0FD7009AE78885971E7E0F791A949F5E0A0B366EC14B515DEDE47DF6DB3349EB
SHA-512:	2A107144EB77F6BB2124717C22A578ACC57B06B909D517A9446AC229C309A37C0ECEBAF766E32DC4A9E8E78EE0F448425B1B96B3B11B8CBA2087C620E84A1E7E
Malicious:	false
Reputation:	low
Preview:	[folders]..Templates.LNK=0..SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.LNK=0..[misc??????]..SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.071081619832247
Encrypted:	false
SSDEEP:	3:Rl/ZdOAJ59lqKDAgnNqmMg6IQLllt:RtZSYAGsTl
MD5:	7CA2729B0CAE5BBCDD5609F71B31F997
SHA1:	792D403EE50ED907FEFE7EAB896BD1BA8D29E6D3
SHA-256:	D9A21F785D8DA0DC95D1231D32FF490AF206E08C4452037CE4542D3CF0FE51E6
SHA-512:	35473F82526037D9E690A81C30BE978A7C82B73947EC62A205675D585F72792686562BA968335DC3E0E0110243BFCACB77570C5A9466D99328CB86750A2803D1
Malicious:	false
Reputation:	low
Preview:	.pratesh................................................p.r.a.t.e.s.h..........e.{............$.......6C.......e.{.....^.i@..iT..i`..iDB.iZR.i.e.{............H...

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	2.8954618442383215
Encrypted:	false
SSDEEP:	3:QVNliGn:Q9rn
MD5:	C4F79900719F08A6F11287E3C7991493
SHA1:	754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
SHA-256:	625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
SHA-512:	0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
Malicious:	false
Preview:	..p.r.a.t.e.s.h.....

C:\Users\user\Desktop\~$curiteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.071081619832247
Encrypted:	false
SSDEEP:	3:Rl/ZdOAJ59lqKDAgnNqmMg6IQLllt:RtZSYAGsTl
MD5:	7CA2729B0CAE5BBCDD5609F71B31F997
SHA1:	792D403EE50ED907FEFE7EAB896BD1BA8D29E6D3
SHA-256:	D9A21F785D8DA0DC95D1231D32FF490AF206E08C4452037CE4542D3CF0FE51E6
SHA-512:	35473F82526037D9E690A81C30BE978A7C82B73947EC62A205675D585F72792686562BA968335DC3E0E0110243BFCACB77570C5A9466D99328CB86750A2803D1
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........e.{............$.......6C.......e.{.....^.i@..iT..i`..iDB.iZR.i.e.{............H...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	4.857786995939398
TrID:	Poser pose (12501/1) 58.12% Rich Text Format (5005/1) 23.27% Rich Text Format (4004/1) 18.61%
File name:	SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf
File size:	37'871 bytes
MD5:	f0a7729bda6a95e7a0d9c1b6804e7e9f
SHA1:	aed6edb5380af3864621231846548bf2bb6c0762
SHA256:	7962acb951893a7f53511cba33f4cca6d8fa3da3a7e7a622d148827687327dca
SHA512:	d2d113d30b0ca563598152ebb705fef2b68cc0173e071e67835bac67313c91f3fc94dc655087b7b8d44fad40a7b266709ad0f4a8ff28e8947857c1869c374b29
SSDEEP:	768:vFx0XaIsnPRIa4fwJMrd9yUVj57Qtcay3ER7mE5v8kCLyYw4w6RtLFx:vf0Xvx3EMreUVj57QKay3E9mcv8kCjwi
TLSH:	E4035E5AE78F02648F811277531B0E8996BDB23EB35155B1786C833433EDC3E4666ABC
File Content Preview:	{\rtf1......{\*\mvertJc11406834 \!}.{\153473671Document created in earlier version microsoft office word.To view or edit this document, please click ("Enable editing") from the yellow bar aboveASSIGNMENTMCS 473: MARKETING MANAGEMENT & STRATEGYSTUDENT NAME

File Icon


Icon Hash:	39f5a98c818aacb3

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00004A7Ch								no

• WINWORD.EXE

Click to jump to process

Memory Usage

• WINWORD.EXE

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	15:43:45
Start date:	04/07/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x12a0000
File size:	1'937'688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{4F04F7D1-0E50-4E05-8738-87B3D1BDF273}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{8F556852-06A4-40C8-B592-8CEA3514E0B6}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C0876A47-8436-4438-9A92-857B2B02111B}.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

C:\Users\user\Desktop\~$curiteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: WINWORD.EXEPID: 7156, Parent PID: 796

General

File Activities

File Opened

File Created

File Deleted

File Written

File Read

File Attributes Queried

Directory Queried

Other File Operations

Volume Information Queried

Windows Analysis Report
SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.4112.8731.rtf