RTF / .DOC malware analysis — malicious · 57648ceea0ef55a7

MALICIOUS

RTF / .DOC

107.0 KB Authoring application: Msftedit 5.41.15.1515

MD5: bab83b8cde9aa520c46075c84b9de12e SHA-1: 525b9535ac63cf6bc79e68b42c7d33d0774f4b02 SHA-256: 57648ceea0ef55a756e9adb0207961cfd5f74561ff600639a43d09c00c2d3dbd

260 Risk Score

Malware Insights

MITRE ATT&CK

T1559.002 Component Object Model T1204.002 Malicious File

The RTF file contains an embedded OLE object, identified as a Package object class. This object contains PE header data in hex, indicating an embedded executable. ClamAV signatures confirm the presence of a Windows Trojan. The file's structure strongly suggests it's a dropper or container for a malicious payload.

Heuristics 6

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
ClamAV: Win.Trojan.3879934-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.3879934-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000cf.bin` `a26548f71dae98d70b115299b7c02a5c8186577d7630ff96cfb2eed988cb68ab`	rtf-objdata-decoded	RTF \objdata at offset 0xCF	49510 bytes
Detection ClamAV: Win.Trojan.3879934-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.