Win.Trojan.Truko-10 RTF / .DOC malware analysis — malicious · 3c5982504a5559dc

MALICIOUS

RTF / .DOC

556.4 KB Authoring application: Msftedit 5.41.15.1507

MD5: 144fed311c4d677922aa879bd00f9373 SHA-1: 17e67d04f8c0c18b633dc3eaed5619c2b2274914 SHA-256: 3c5982504a5559dc4b00850c295b4f09ad7c5827edef3a673929ccfb471d7ee1

260 Risk Score

Malware Insights

Win.Trojan.Truko-10 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains an embedded OLE object which, upon analysis, is identified as a PE executable. ClamAV signatures confirm this as Win.Trojan.Truko-10. The presence of the PE header within the RTF data strongly suggests the file is designed to deliver a malicious payload, likely a trojan.

Heuristics 6

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
ClamAV: Win.Trojan.Truko-10 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Truko-10
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d1.bin` `ea1889d6c1f52bc8615caf271d702e1a8730e5cab519503a1cded0a37d30416a`	rtf-objdata-decoded	RTF \objdata at offset 0xD1	277390 bytes
Detection ClamAV: Win.Trojan.Truko-10 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.