Win.Trojan.Ag-1 — RTF malware analysis

Static analysis result for SHA-256 452a56261698a781…

MALICIOUS

RTF

170.3 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2021-06-20
MD5: f1798263a885f5e3559037d9596b9db8 SHA-1: 33848d28e4ef2a7482e1dc18dfe56c6c125c6d6a SHA-256: 452a56261698a781ac1510ff142668ddc3b15c65dbd47a507c99401c94d7ca82
202 Risk Score

Malware Insights

Win.Trojan.Ag-1 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects, specifically a package object, which is a strong indicator of malicious intent. ClamAV signatures identify the embedded artifact as Win.Trojan.Ag-1. This suggests the file is likely a malicious attachment designed to exploit vulnerabilities or deliver a secondary payload upon opening.

Heuristics 5

  • ClamAV: Win.Trojan.Ag-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Ag-1
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000c8.bin rtf-objdata-decoded RTF \objdata at offset 0xC8 82121 bytes
SHA-256: 3a36b5be8904f214121f0a9415ec30fc9586ac29577fd40c2ceef163196d4dfd
Detection
ClamAV: Win.Trojan.Ag-1
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.