Malicious RTF — malware analysis report

Static analysis result for SHA-256 0e5df3452ae11b4f…

MALICIOUS

RTF

474.8 KB Authoring application: Msftedit 5.41.21.2509 First seen: 2012-09-14
MD5: 389c23cc821ba9e06b58fc0f45a91f1d SHA-1: 93bc391df529912415602c1f53e56ebdaabc8c46 SHA-256: 0e5df3452ae11b4f8a7ecc48ba6fa79736063fde118b30274735834e3b4aecee
302 Risk Score

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Win.Trojan.Agent-6950286-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-6950286-1
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000f8.bin rtf-objdata-decoded RTF \objdata at offset 0xF8 233130 bytes
SHA-256: 35cd3fef699fd2d799ac017d5d673985fbdfa00adfcc3d8929f07dc1aadd51c7
Detection
ClamAV: Win.Trojan.Agent-6950286-1
Obfuscation or payload: likely
Carved artifact entropy is 7.67, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.