MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.003 Windows Command Shell
The file is identified as malicious by ClamAV with specific detections for Win.Trojan.DragonOK and an exploit related to CVE-2015-1641. Heuristics indicate the presence of OLE objects and a suspicious invocation of cmd.exe with an execution flag, suggesting exploitation and command execution. The command 'cmd.exe /c reg delete "HKCU1.0" /F' was reconstructed from the document body, indicating an attempt to clean up or manipulate registry keys.
Heuristics 5
-
ClamAV: Win.Trojan.DragonOK-5580506-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.DragonOK-5580506-0
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00007d20.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7D20 | 53 bytes |
SHA-256: 27dedb23bebf4c25762971c4eb486b0f3873347bf82424ea00f742257e85dac5 |
|||
objdata_01_off00007de2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7DE2 | 14385 bytes |
SHA-256: 37fe51c7686c0a83ff80b6afc2bb18b81e1d2d11ee60563d4a3d842301cb1025 |
|||
|
Detection
ClamAV:
Doc.Exploit.CVE_2015_1641-6397417-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.