Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 17, 2023, 5:30 p.m.	March 17, 2023, 6:09 p.m.

Size	13.5KB
Type	Rich Text Format data, version 1, unknown character set
MD5	`984eb11b3f5de9345be40b9fdf432400`
SHA256	`d613285ecc373bd6fcc8453ef8e877adba090dbe1a2a585bee5d15865c7ecd62`
CRC32	`A2180797`
ssdeep	`384:8p72r5s4pRAefFUUCpT/qxfRrVvSBx1/j3JQeKr:8p6r5suAeP4T/kTSBb/rM`
Yara	Rich_Text_Format_Zero - Rich Text Format Signature Zero SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\02..................02....................doc
884

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

file	C:\Users\test22\AppData\Local\Temp\~$..................02....................doc

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 17, 2023, 5:30 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000494 filepath: C:\Users\test22\AppData\Local\Temp\~$..................02....................doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$..................02....................doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 17, 2023, 5:30 p.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

filetype_details

Rich Text Format data, version 1, unknown character set

filename

02..................02....................doc

Lionic	Trojan.MSOffice.Generic.4!c
DrWeb	Exploit.Rtf.Obfuscated.32
MicroWorld-eScan	Exploit.RTF-ObfsObjDat.Gen
FireEye	Exploit.RTF-ObfsObjDat.Gen
CAT-QuickHeal	Exp.RTF.Obfus.Gen
McAfee	RTFObfustream.c!984EB11B3F5D
VIPRE	Exploit.RTF-ObfsObjDat.Gen
Arcabit	Exploit.RTF-ObfsObjDat.Gen
Cyren	RTF/CVE-2017-11882
Symantec	Exp.CVE-2017-11882!g2
ESET-NOD32	a variant of DOC/Abnormal.C
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Exploit.MSOffice.Generic
BitDefender	Exploit.RTF-ObfsObjDat.Gen
NANO-Antivirus	Exploit.Rtf.Heuristic-rtf.dinbqn
Emsisoft	Exploit.RTF-ObfsObjDat.Gen (B)
TrendMicro	Trojan.W97M.CVE201711882.SMN
Sophos	Troj/RtfExp-EQ
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Exploit]/MSOffice.CVE-2017-11882
ZoneAlarm	HEUR:Exploit.MSOffice.Generic
GData	Exploit.RTF-ObfsObjDat.Gen
Google	Detected
AhnLab-V3	RTF/Malform-A.Gen
ALYac	Exploit.RTF-ObfsObjDat.Gen
Zoner	Probably Heur.RTFObfuscation
Tencent	Office.Exploit.Generic.Wimw
Ikarus	Win32.Outbreak
AVG	Other:Malware-gen [Trj]

02..................02....................doc