popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

20...................................20........DOC

MS_RTF_Obfuscation_Objects doc RTF File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 24, 2023, 6:07 p.m. March 24, 2023, 6:17 p.m.
Size 17.9KB
Type Rich Text Format data, version 1, unknown character set
MD5 3d64a167c2f313bac10c89b3d591be13
SHA256 becc292fb633a6d01d47ebf5cedcd0ca4ebe4ec3f7ec8feb64f244c6b3915a7a
CRC32 8246CC0C
ssdeep 384:apK6fVG6PX6h8/+bfzrLctdRK7HH5ttZZtBVhJoQKJiIEB/nJ:z6HvsIMzXcXU7n5tXZtBTiSBh
Yara
  • Rich_Text_Format_Zero - Rich Text Format Signature Zero
  • SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

file C:\Users\test22\AppData\Local\Temp\~$...................................20........DOC
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000490
filepath: C:\Users\test22\AppData\Local\Temp\~$...................................20........DOC
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$...................................20........DOC
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
filetype_details Rich Text Format data, version 1, unknown character set filename 20...................................20........DOC
Lionic Trojan.MSOffice.ObfsStrm.4!c
MicroWorld-eScan Exploit.RTF-ObfsStrm.Gen
CAT-QuickHeal Exp.RTF.Obfus.Gen
Arcabit Exploit.RTF-ObfsStrm.Gen
Cyren RTF/CVE-2017-11882
Symantec Exp.CVE-2017-11882!g2
ESET-NOD32 a variant of DOC/Abnormal.C
Avast Other:Malware-gen [Trj]
Cynet Malicious (score: 99)
BitDefender Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus Exploit.Rtf.Heuristic-rtf.dinbqn
Tencent Win32.Trojan.Rtf.Rsmw
Sophos Troj/RtfExp-EQ
DrWeb Exploit.Rtf.Obfuscated.32
VIPRE Exploit.RTF-ObfsStrm.Gen
TrendMicro Trojan.W97M.CVE201711882.SMN
McAfee-GW-Edition BehavesLike.Trojan.lq
FireEye Exploit.RTF-ObfsStrm.Gen
Emsisoft Exploit.RTF-ObfsStrm.Gen (B)
Ikarus Win32.Outbreak
Avira HEUR/Rtf.Malformed
Gridinsoft Trojan.U.AgentTesla.bot
Microsoft Exploit:Win32/CVE-2017-11882!ml
GData Exploit.RTF-ObfsStrm.Gen
Google Detected
AhnLab-V3 RTF/Malform-A.Gen
McAfee RTFObfustream.c!3D64A167C2F3
Zoner Probably Heur.RTFObfuscation
MAX malware (ai score=86)
AVG Other:Malware-gen [Trj]