Win.Trojan.Nemesis-9845795-0 — RTF malware analysis

Static analysis result for SHA-256 28f4da7ec9814a2d…

MALICIOUS

RTF

578.8 KB First seen: 2019-05-31
MD5: 10daa72e10267d0bd02cd3340303e6b3 SHA-1: 223d65a3a6e39233978ab07229a5cef8a5b9d41f SHA-256: 28f4da7ec9814a2dbbdc41e458056af761f0aad428a4146b23fc9d9e4b7c6d92
442 Risk Score

Malware Insights

Win.Trojan.Nemesis-9845795-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple indicators of exploitation, including OLE object data, Equation Editor CLSID, and an embedded remote URL. The heuristic RTF_INCLUDE_REMOTE points to http://test1.ru/newbuild/t.php?thread=0&stats=send, which is likely used to download a secondary payload. ClamAV detection as Win.Trojan.Nemesis-9845795-0 further supports the malicious nature of this file.

Heuristics 10

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Win.Trojan.Nemesis-9845795-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Nemesis-9845795-0
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 7 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://test1.ru/newbuild/t.php?thread=0&stats=send In RTF body
    • http://nsis.sf.net/NSIS_ErrorIn RTF body

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00009bfe.bin rtf-objdata-decoded RTF \objdata at offset 0x9BFE 400 bytes
SHA-256: fa79b00817f7495218632b8aca05100fc72b724a674512e970aa8642ceaa44bc
objdata_01_off00009f58.bin rtf-objdata-decoded RTF \objdata at offset 0x9F58 265045 bytes
SHA-256: f52040f307462994f49f5b817b8f4a2849d79c7d1dd1c98d1167fbe98615a403
Detection
ClamAV: Win.Trojan.Nemesis-9845795-0
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
objdata_02_off0008b647.bin rtf-objdata-decoded RTF \objdata at offset 0x8B647 360 bytes
SHA-256: 65a815ac74c3a920bb26bf2ccee166222ecb8f57cf7ca61a7cceafbfa7a5e421
objdata_03_off0008b953.bin rtf-objdata-decoded RTF \objdata at offset 0x8B953 1799 bytes
SHA-256: 8634239566ba821d8db6ddf9b4c73dc185ff580a96c1a0b4f3e5f3c3ac71baaa
objdata_04_off0008c79f.bin rtf-objdata-decoded RTF \objdata at offset 0x8C79F 797 bytes
SHA-256: 170399a741f8364bbf06cec53623f93687bf2c6434dbf9ab2555fa18fa82966d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript" & "" & rab & "" & "")
objdata_05_off0008ce6a.bin rtf-objdata-decoded RTF \objdata at offset 0x8CE6A 2620 bytes
SHA-256: 16f975cd20b1713e4dc7d34d66061ef75313030e0b9b73b637f1d8a0491d06f4
objdata_06_off0008e473.bin rtf-objdata-decoded RTF \objdata at offset 0x8E473 4681 bytes
SHA-256: 75bdf0d3e6198ce8609d72f965634443d1596df6ed427f655b94bb1d92e195e5

Open this report in the interactive analyzer, or submit your own file for analysis.