SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22

Rule Info

Name
SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22
Author
Christian Burkard
Description
Detects a suspicious pattern in RTF files which downloads external resources inside e-mail attachments
Score
75
Reference
Internal Research
Date
2022-06-01
Minimum Yara
1.7
Rule Hash
f9222ea38e3fd3e18d4ec45aad4e1f42
Tags
['DEMO', 'SUSP']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/susp_doc_rtf_ole2link_email_jun22/comments
Community Rule
https://github.com/Neo23x0/signature-base/search?q=SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
22
Suspicious (< 10 engines)
1
Clean (0 engines)
1

Rule Matches

Timestamp
Positives
Total
Hash
VT
2023-12-02 18:49:58
12
60
03031f8b0c78666aceb4b96d04457a414c06d65960552612ee61820290a4d350
2023-11-26 03:03:51
12
61
d8282f8671d0964ec20214b594fff57729c176354fa9ef72b9fc05c20d558d7b
2023-11-14 14:43:27
11
61
3d1b6f419ac6e6d77f1c84062c51737697720acbb49098b8cb4b562a7eb3872b
2023-10-29 22:10:00
13
61
49dfabc5a2b9748a7ab011efe70971d1ec23cffd70bbff4cb955202c432f3975
2023-10-10 22:40:14
15
61
7d6db0ec4893750c954b8e5ab10db249bb4beeb203e861c694fb73909449625b
2023-08-10 20:17:44
12
60
dac075e7dd97112617f5403224cfeb444cb2195c1ff9e463aaa3e91a496ce388
2023-08-03 16:29:45
1
59
70b8b54a168b16dd574d9ff7fd2cc9d800081e561bacdb9137097d2c81aa0083
2023-06-13 10:02:10
13
60
d83b67a1e2fdef15aa739a71e5ea2a6cd51304dbd9f0e2ec06001385af61a61e
2023-05-30 23:02:14
12
60
6e26216c740351f5460a2f51b4676606d572fd3012f57fb9e154a34d9242d6ea
2023-05-02 15:11:04
12
59
4252df806473bd261c0a538d4eb0aebaca314c8ffa1e1dc04fa04032a7464657
2023-03-28 01:20:47
11
56
6816a426ca7e0fbbb6c557457652881ce5cd72b3209489f7c1cfb72838badb9a
2023-03-02 00:33:00
12
58
e3dcafd30dc42ccbd9d2726b5ab4bc14318efcee43e9d011bf9ec114458834d9
2023-02-28 13:46:48
0
59
8ad202530fadf434643bc8766976ac5c37208d06870dc91cbdc9b439cd35f08d
2023-02-24 13:07:13
11
62
12c80092e7df5c4cf295eadeb12a713bd791372dad2e3677f04a1676fb2b9779
2023-02-20 16:05:58
21
60
9574d33d7ee275bcd2cc7e0edf3fda23938090d9f71270c0aa2b9d94b2d590bb
2023-02-18 23:04:02
27
60
f5fd086328223ca9bc3e5ebe3dc1f6f3e8a8bc4c9113627e397bd782abe36638
2022-12-19 20:26:02
11
61
a88ca01278a9243c71774da4e4ca446da4efa402af43eac25eea35b30d42bc2c
2022-12-14 06:13:46
16
61
6b83456ea58c909e27dc031842f174d3f1ebbc93f61b977ee6fa722ad0d80fa1
2022-10-14 01:47:35
11
61
73aaa4dfdfba6734dce8ebf86b6338679cdcd2a66646148535e89de48f555b1b
2022-10-04 07:29:46
11
59
af13395a9ccc14850911e2618e311e631e81b1a0f4733f95be0d9469a49bdef0
2022-09-16 21:13:39
39
61
0bd92394ca56429dda829512996fc24d6e3f45f9ac9339f62a2ec284487d7df9
2022-09-11 19:48:10
38
60
981f5fcbb38584fc697719d3466229b64ff1f184f5f48639de8e4cc5a0976ab5
2022-06-11 03:57:07
25
57
1f18048af0b21f183dc5c6704746c80c10e9c9a486d7ec26c7458efa70a4bf9c
2022-06-08 05:57:54
22
57
db9718e5629e663f7894831ea840dbda7ec3db4a0d103defe1d3f95ff1224415

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022