Rtf.Dropper.Agent-8845244-0 — RTF malware analysis

Static analysis result for SHA-256 1d4a452b49697b23…

MALICIOUS

RTF

252.9 KB
MD5: a2d266a7762322eb41c3ebfe93b536ad SHA-1: 2b0e0469e43d6bbd8104af98c207531a3bbe0038 SHA-256: 1d4a452b49697b234f275b7667c8ff8dc85365ffe8cf63a02d8be3b7589ca7ca
140 Risk Score

Malware Insights

Rtf.Dropper.Agent-8845244-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF file exhibits multiple indicators of maliciousness, including embedded OLE objects and an automatic update trigger for these objects. ClamAV specifically identifies it as 'Rtf.Dropper.Agent-8845244-0', strongly suggesting its purpose is to act as a dropper for further malicious payloads. The presence of OLE objects and the RTF structure point towards a delivery mechanism designed to exploit user interaction or automatic activation to execute secondary malware.

Heuristics 4

  • ClamAV: Rtf.Dropper.Agent-8845244-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-8845244-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000d0.bin
d248aabb2b667e95bdfdb125e56c15108a36094e64e11e6145cfb5ce524fb0c0		 rtf-objdata-decoded RTF \objdata at offset 0xD0 15672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.