RTF / .DOC malware analysis — malicious · 24b9577c97584ca1

MALICIOUS

RTF / .DOC

81.3 KB Authoring application: Msftedit 5.41.15.1515

MD5: ce474973c5d290e8cbec20b38f638e5c SHA-1: 74b2416c13b31d9c69c951a018c563560900eb5f SHA-256: 24b9577c97584ca148879c2bc52602712a724b977fd1395ca22f991d1207ff42

260 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains embedded OLE objects, including a PE header in hex data, indicating the presence of executable content. ClamAV signatures confirm this as Win.Trojan.Vbkrypt-9795. The document body suggests a social engineering lure related to a lawsuit to trick the user into interacting with the embedded malicious object.

Heuristics 6

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
ClamAV: Win.Trojan.Vbkrypt-9795 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Vbkrypt-9795
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000cf.bin` `e97c014d6ce9d4736d7101aa703abc322cfed1abfc22052d7ddb040cf54dc4b8`	rtf-objdata-decoded	RTF \objdata at offset 0xCF	36304 bytes
Detection ClamAV: Win.Trojan.Vbkrypt-9795 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.