Report - damianozx.doc

MS_RTF_Obfuscation_Objects RTF File doc

ScreenShot

Info
Location map


Created	2023.09.08 07:43	Machine	s1_win7_x6403
Filename	damianozx.doc
Type	Rich Text Format data, version 1, unknown character set
AI Score	Not founds	Behavior Score	3.8
ZERO API	file : clean
VT API (file)	35 detected (ObfsObjDat, RTFObfustream, Save, CVE-2017-1188, Camelot, Malicious, score, CVE-2018-0802, dinbqn, Malformed, CVE-2018-0798, RTFMALFORM, RTFDl, Outbreak, Minerva, lyunb, AgentTesla, RVCF, Detected, Probably Heur, RTFObfuscation, CLASSIC, ai score=80)
md5	b719fd07b3c6631dcc61bff0e8588489
sha256	589999aaa2213218a961ade7f48566476d8e78720a8e6051ed3d0bd1fa761e4a
ssdeep	768:pwAbZSibMX9gRWjiRLxUS7jD3HSRPX0S5xyqB:pwAlRRPU4jDCR/0S5xj
imphash
impfuzzy

Network IP location

Signature (8cnts)

Level	Description
danger	File has been identified by 35 AntiVirus engines on VirusTotal as malicious
watch	Communicates with host for which no DNS query was performed
notice	An application raised an exception which may be indicative of an exploit crash
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	RTF file has an unknown character set
info	One or more processes crashed

Rules (2cnts)

Level	Name	Description	Collection
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (2cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://185.28.39.17:7777/185.28.39.18/damianozx.exe whois			185.28.39.17		clean
185.28.39.17 whois			185.28.39.17		malware

Suricata ids

Similarity measure (PE file only) - Checking for service failure