Rtf.Dropper.Agent-6831651-0 — RTF malware analysis

Static analysis result for SHA-256 3d79d90b0da56282…

MALICIOUS

RTF

7.7 KB First seen: 2018-04-30
MD5: 2e658d4a286f3a4176a60b2450e9e729 SHA-1: e622f8cab9c1b3503d23d0653467c48c4e9ac2f7 SHA-256: 3d79d90b0da56282b3a8d719cf45cc560a279ee03412279da6ba649b3872e041
200 Risk Score

Malware Insights

Rtf.Dropper.Agent-6831651-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects that are automatically linked and updated, indicating an attempt to execute external code. ClamAV identifies this as Rtf.Dropper.Agent-6831651-0, a known dropper. The presence of URL monikers within the OLE object data strongly suggests the file's purpose is to download and execute a secondary payload.

Heuristics 5

  • URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
    RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
  • ClamAV: Rtf.Dropper.Agent-6831651-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-6831651-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003f.bin rtf-objdata-decoded RTF \objdata at offset 0x3F 3823 bytes
SHA-256: d32370a42867ea6f1b9e06a5997436a86c55957288465fb36e9594d968c7b435