Win.Trojan.Agent-875904 RTF malware analysis — malicious · 53977c1e4ad54c51

MALICIOUS

RTF

1.33 MB Authoring application: Msftedit 5.41.15.1515

MD5: 0e447b0c0dbd05e8a4d59b096054abd2 SHA-1: a0fb2e74bf10f796dce93e4e053cae33257d4368 SHA-256: 53977c1e4ad54c51ad3a205b0369d1db29a2036fe1091ed93fce24c2fd652d8f

240 Risk Score

Malware Insights

Win.Trojan.Agent-875904 · confidence 95%

MITRE ATT&CK

T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model Hijacking

The RTF document contains an embedded OLE object, identified by heuristics as a package object class and containing a large amount of hex-encoded data. ClamAV signatures indicate this is Win.Trojan.Agent-875904, suggesting the embedded object is a malicious payload. The primary IOC is the file's SHA256 hash.

Heuristics 5

ClamAV: Win.Trojan.Agent-875904 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-875904
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1389KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d3.bin` `577564a5fa05b717a6183ad0167e01015e2fac2f1647bcfdeeac53a0cf15ebfa`	rtf-objdata-decoded	RTF \objdata at offset 0xD3	677168 bytes
Detection ClamAV: Win.Trojan.Agent-875904 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.