MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple OLE objects, a common technique for embedding malicious content. ClamAV specifically identifies this file as 'Doc.Exploit.DDEautoexec-6346603-1', indicating a known exploit related to DDE auto-execution. This suggests the file is designed to leverage DDE to run arbitrary commands on the victim's system, likely delivered as a spearphishing attachment.
Heuristics 4
-
ClamAV: Doc.Exploit.DDEautoexec-6346603-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6346603-1
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000035c8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x35C8 | 19505 bytes |
SHA-256: fee43368a3448f57dd21bcdd985d48377181980814c2f2a99b1b5edb14a79fad |
|||
objdata_03_off00025529.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x25529 | 19505 bytes |
SHA-256: bf98a392925e780fa30df447caf81fea3920bc4d0ff9de3e0493e7917e115a41 |
|||
objdata_07_off000529a9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x529A9 | 19505 bytes |
SHA-256: a615d352a5bdb79f1db85d36fb1ad97f34eec9f2ea7d9755a217429b939db5c0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.