MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains a high amount of hex-encoded data within an OLE object, which includes a PE header. ClamAV signatures indicate this is a Win.Dropper.Nanocore variant, suggesting it's designed to download and execute a secondary payload. The document body's instruction to double-click an image further supports the payload delivery intent.
Heuristics 7
-
ClamAV: Win.Dropper.Nanocore-9903300-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Dropper.Nanocore-9903300-0
-
PE header (with DOS stub) in hex data critical RTF_MZ_HEXHex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
-
Package object class high RTF_OBJCLASS_PACKAGEOLE Package object — can wrap arbitrary files
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1018KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000179f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x179F | 491158 bytes |
SHA-256: 19aafdc6dfca9b43899b508e82c60cf7554f85f32e201739f4e577c799b1c7dc |
|||
|
Detection
ClamAV:
Win.Dropper.Nanocore-9903300-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.