MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The file is an RTF document containing OLE object data, which is indicative of an exploit. ClamAV signatures confirm the presence of the CVE-2015-1641 exploit, a known vulnerability allowing for arbitrary code execution. The embedded OLE objects are likely the exploit payload, leading to the malicious verdict.
Heuristics 4
-
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.CVE_2015_1641-6397417-0
-
OLE object data medium RTF_OBJDATARTF contains 3 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000001f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1F | 53 bytes |
SHA-256: 7337580416891e5a22d1993e8e7f6fd70b313be9c6e0f3065f42b639d8fe4b88 |
|||
objdata_01_off00002068.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2068 | 21553 bytes |
SHA-256: 05d45c64752f9b23ed372a2328bd9e650771aac65f80b68ea85aeb3219ecef31 |
|||
objdata_02_off0000e8aa.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE8AA | 32817 bytes |
SHA-256: 224d0a14660714cd73baceb985d8a6358961441d22908a16291903f8e9a98054 |
|||
|
Detection
ClamAV:
Doc.Exploit.CVE_2015_1641-6397417-0
Obfuscation or payload:
likely
Carved artifact entropy is 7.71, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.