Rtf.Dropper.Agent-9965975-1 — RTF malware analysis

Static analysis result for SHA-256 26866c2b20d8694a…

MALICIOUS

RTF

2.10 MB First seen: 2021-06-30
MD5: 4e548b5597f995b42decd7591ba4212e SHA-1: 0e62721485aed575486ba716f83e7deeeb185461 SHA-256: 26866c2b20d8694a6b39b9197c53af67555f1733b63619f4d2d500f2ae1e81d3
322 Risk Score

Malware Insights

Rtf.Dropper.Agent-9965975-1 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1203 Exploitation for Client Execution

The RTF file contains multiple indicators of malicious OLE objects, including hex-encoded data and a PE header, strongly suggesting it acts as a dropper. ClamAV identifies it as Rtf.Dropper.Agent-9965975-1, a known dropper family. The embedded OLE objects are likely used to hide and deliver a secondary executable payload.

Heuristics 9

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~2193KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In RTF body
    • http://ns.adobe.com/xap/1.0/In RTF body
    • http://ns.adobe.com/pdf/1.3/In RTF body
    • http://purl.org/dc/elements/1.1/In RTF body
    • http://ns.adobe.com/xap/1.0/mm/In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000001ed.bin rtf-objdata-decoded RTF \objdata at offset 0x1ED 1096692 bytes
SHA-256: a511375959bd79d2eb6d193830a2ef15c84b7bbcb59bf9c0a804d8ab84eff91b
objdata_01_off00217d09.bin rtf-objdata-decoded RTF \objdata at offset 0x217D09 3734 bytes
SHA-256: adc980713266cc7548b3593eb43da26591e660d2608f0946037e3c781493b99f