SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22

Rule Info

Name
SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22
Author
Christian Burkard
Description
Detects a suspicious pattern in RTF files which downloads external resources inside e-mail attachments
Score
75
Reference
Internal Research
Date
2022-06-01
Minimum Yara
1.7
Rule Hash
f9222ea38e3fd3e18d4ec45aad4e1f42
Tags
['SUSP', 'DEMO']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/susp_doc_rtf_ole2link_email_jun22/comments
Community Rule
https://github.com/Neo23x0/signature-base/search?q=SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
33
Suspicious (< 10 engines)
1
Clean (0 engines)
1

Rule Matches

Timestamp
Positives
Total
Hash
VT
2024-02-16 10:37:11
10
60
be179001e3c21d702adfbc0415913521cc94aa0c36c63ceebe7a620a5bbc01a5
2024-01-22 18:44:38
13
59
ab3f70f685be4de79b7c61d7f2825e6329f954446917d6d878886baff4fd4985
2024-01-15 23:55:32
13
58
59ac556af2ab3db3f4604cd8a785a588661a2fb907e16fabce1965ac96620614
2024-01-15 23:54:16
13
58
01138ed916b07c18a6a487d90105360ca3bfa45e0e61f16a4797ebff053943db
2024-01-15 23:23:29
13
58
8bb927fc130dc7e3b3cddfcc4f2f3befeadf967888947db8dfb02c10f307484b
2024-01-15 22:47:37
16
58
83c861ef02a46b827186aaf31e904ecd4ff4fe36cdaf182fe55c1d4fc58a7fa2
2023-12-26 02:27:33
15
61
ebd20fa221537139dbbd0d7dd2eaa05175285c9fdc52be0b7596aa63227eb5d3
2023-12-21 21:12:59
15
56
63c819593efdad6ad1e529fe7a98287bd4b98243978ce1a0f637ee3bc0cc1cb7
2023-12-14 12:15:37
13
61
3c467a8a21de1216ed597961164a71c3b5340e0827b31e87ae134bc479591e28
2023-12-13 22:01:38
12
61
8ec02a974fa95aacaaeb17d59a3d2c3fd85dbb5245ea0a343149cba5fd03cc88
2023-12-10 16:05:38
13
61
01348b8a7cc50d5a132066b602faeaef4181c96a5fce6441081df18e104204c4
2023-12-02 18:49:58
12
60
03031f8b0c78666aceb4b96d04457a414c06d65960552612ee61820290a4d350
2023-11-26 03:03:51
12
61
d8282f8671d0964ec20214b594fff57729c176354fa9ef72b9fc05c20d558d7b
2023-11-14 14:43:27
11
61
3d1b6f419ac6e6d77f1c84062c51737697720acbb49098b8cb4b562a7eb3872b
2023-10-29 22:10:00
13
61
49dfabc5a2b9748a7ab011efe70971d1ec23cffd70bbff4cb955202c432f3975
2023-10-10 22:40:14
15
61
7d6db0ec4893750c954b8e5ab10db249bb4beeb203e861c694fb73909449625b
2023-08-10 20:17:44
12
60
dac075e7dd97112617f5403224cfeb444cb2195c1ff9e463aaa3e91a496ce388
2023-08-03 16:29:45
1
59
70b8b54a168b16dd574d9ff7fd2cc9d800081e561bacdb9137097d2c81aa0083
2023-06-13 10:02:10
13
60
d83b67a1e2fdef15aa739a71e5ea2a6cd51304dbd9f0e2ec06001385af61a61e
2023-05-30 23:02:14
12
60
6e26216c740351f5460a2f51b4676606d572fd3012f57fb9e154a34d9242d6ea
2023-05-02 15:11:04
12
59
4252df806473bd261c0a538d4eb0aebaca314c8ffa1e1dc04fa04032a7464657
2023-03-28 01:20:47
11
56
6816a426ca7e0fbbb6c557457652881ce5cd72b3209489f7c1cfb72838badb9a
2023-03-02 00:33:00
12
58
e3dcafd30dc42ccbd9d2726b5ab4bc14318efcee43e9d011bf9ec114458834d9
2023-02-28 13:46:48
0
59
8ad202530fadf434643bc8766976ac5c37208d06870dc91cbdc9b439cd35f08d
2023-02-24 13:07:13
11
62
12c80092e7df5c4cf295eadeb12a713bd791372dad2e3677f04a1676fb2b9779
2023-02-20 16:05:58
21
60
9574d33d7ee275bcd2cc7e0edf3fda23938090d9f71270c0aa2b9d94b2d590bb
2023-02-18 23:04:02
27
60
f5fd086328223ca9bc3e5ebe3dc1f6f3e8a8bc4c9113627e397bd782abe36638
2022-12-19 20:26:02
11
61
a88ca01278a9243c71774da4e4ca446da4efa402af43eac25eea35b30d42bc2c
2022-12-14 06:13:46
16
61
6b83456ea58c909e27dc031842f174d3f1ebbc93f61b977ee6fa722ad0d80fa1
2022-10-14 01:47:35
11
61
73aaa4dfdfba6734dce8ebf86b6338679cdcd2a66646148535e89de48f555b1b
2022-10-04 07:29:46
11
59
af13395a9ccc14850911e2618e311e631e81b1a0f4733f95be0d9469a49bdef0
2022-09-16 21:13:39
39
61
0bd92394ca56429dda829512996fc24d6e3f45f9ac9339f62a2ec284487d7df9
2022-09-11 19:48:10
38
60
981f5fcbb38584fc697719d3466229b64ff1f184f5f48639de8e4cc5a0976ab5
2022-06-11 03:57:07
25
57
1f18048af0b21f183dc5c6704746c80c10e9c9a486d7ec26c7458efa70a4bf9c
2022-06-08 05:57:54
22
57
db9718e5629e663f7894831ea840dbda7ec3db4a0d103defe1d3f95ff1224415

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022