Win.Downloader.VBS-148 RTF malware analysis — malicious · 399c912f9e98f765

MALICIOUS

RTF

15.7 KB Authoring application: Msftedit 5.41.15.1515

MD5: 2cb455081da625bd05a9de170866febf SHA-1: 87648cfbd0c5cf15f3feae44785ee1bfd85dd0b8 SHA-256: 399c912f9e98f7655097004450620887a0ad5b1ed529b1a96f89b76493a627e7

200 Risk Score

Malware Insights

Win.Downloader.VBS-148 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains an embedded OLE object, identified by multiple heuristics including RTF_OBJDATA, RTF_OBJEMB, and RTF_OBJCLASS_PACKAGE. ClamAV signatures confirm this is a downloader, specifically Win.Downloader.VBS-148. The embedded object is the primary indicator of malicious intent, likely serving as a dropper for a secondary payload.

Heuristics 5

ClamAV: Win.Downloader.VBS-148 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Downloader.VBS-148
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d2.bin` `298400c38772b92bdecea4312a78bce06248c71480327824e291eb97cdf91397`	rtf-objdata-decoded	RTF \objdata at offset 0xD2	3993 bytes
Detection ClamAV: Win.Downloader.VBS-148 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.