Win.Downloader.VBS-148 RTF malware analysis — malicious · 185f296eb234d707

MALICIOUS

RTF

15.9 KB Authoring application: Msftedit 5.41.15.1515

MD5: 93220fd82fa13db58d014af99a4e67cc SHA-1: 847bcd1ce0a7d6a4201131af4d61e5a823749157 SHA-256: 185f296eb234d707e116e51cc65ef13112dac25b799710a0d4445d77e9be6f56

200 Risk Score

Malware Insights

Win.Downloader.VBS-148 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object, identified as a package object. Static analysis detected this artifact as Win.Downloader.VBS-148, indicating it is likely a downloader. The embedded object is the primary indicator of malicious intent, suggesting the file is intended to be delivered as a spearphishing attachment to download and execute further malicious payloads.

Heuristics 5

ClamAV: Win.Downloader.VBS-148 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Downloader.VBS-148
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d1.bin` `bc6709048b571425390ec283c6cfacd9975757e3020f2d2c1dd63d40d6c9924e`	rtf-objdata-decoded	RTF \objdata at offset 0xD1	4107 bytes
Detection ClamAV: Win.Downloader.VBS-148 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.