MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple OLE objects, a common technique for embedding malicious content. ClamAV specifically identifies this file as 'Doc.Exploit.DDEautoexec-6346603-1', indicating a known exploit related to DDE auto-execution. This suggests the file is designed to leverage DDE to run arbitrary commands on the victim's system, likely delivered as a spearphishing attachment.
Heuristics 4
-
ClamAV: Doc.Exploit.DDEautoexec-6346603-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6346603-1
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000035c5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x35C5 | 19505 bytes |
SHA-256: 8dad1f2c80f82af53795d8c508aa83935e211f91e17afebcebc2b057a03b2b0f |
|||
objdata_01_off0000ec7c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xEC7C | 19505 bytes |
SHA-256: d439e0681892a56ce0804d7bc06b930a8eee203b993e5357effb7ac8af0423f1 |
|||
objdata_02_off0001a1a0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1A1A0 | 19505 bytes |
SHA-256: 922f333a0283ad9542dd9128627b42014937ac9604a476f86588d043cd56e632 |
|||
objdata_03_off000256c8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x256C8 | 19505 bytes |
SHA-256: 0ccd6e04f7208074768b6733fa4c020132a0ddb1648f8eacb5fd22547020a0ce |
|||
objdata_04_off00030bec.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x30BEC | 19505 bytes |
SHA-256: 808edb84ad689667b186037edc04d4840e6288cf1194019c3998b89140ac905e |
|||
objdata_05_off0003c110.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C110 | 19505 bytes |
SHA-256: 6de5cbc8eeded8dd109d67bcd108c4c62ab8d50e7a158b6aab1832446aa27239 |
|||
objdata_06_off00047634.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x47634 | 19505 bytes |
SHA-256: 89adb04cd745abb95f8f9abcfdc3241679e01cdfbf7de8fdb5168e9a3c9e3c81 |
|||
objdata_07_off00052b58.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x52B58 | 19505 bytes |
SHA-256: 4050a081643b05b0b262890f43457e00d4cf6d79f0f794bde7d82f7a429a2b06 |
|||
objdata_08_off0005e07e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5E07E | 19505 bytes |
SHA-256: cb59d8fe11620c7f68a73e9933a16588f894ae6bfe7d20d603af0960cd95d9a2 |
|||
objdata_09_off000695a2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x695A2 | 19505 bytes |
SHA-256: cb63b6c3aa0d6e0c0851370a4dbaceae838803d73a05505331cd6f57ee074a90 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.