RTF malware analysis — malicious · 61746ba717398eeb

MALICIOUS

RTF

176.2 KB Created: 2011-06-17 11:55:00 Authoring application: Microsoft Word 11.0.5604 First seen: 2015-09-24

MD5: 74007eade8193943f02249feacd45780 SHA-1: 3c1bb9c1af912fce72873fd0fdbe50fac8816629 SHA-256: 61746ba717398eeb963d27bf846558c8ead9df24ab74e6bcdf52378e98208316

182 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that exploits the CVE-2010-3333 vulnerability, a known stack overflow in RTF parsing. Static analysis detected a PE header within the RTF data, indicating the presence of an embedded executable. This executable, named 'embedded_rtf_0000a962.exe', is likely the second-stage payload dropped by the exploit.

Heuristics 4

CVE-2010-3333 — pFragments RTF stack overflow critical CVE exact CVE_2010_3333

RTF shape property pFragments has an oversized value, matching the CVE-2010-3333 stack-overflow trigger in Microsoft Word 2002/2003.
ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_rtf_0000a962.exe`	embedded-pe	RTF hex-encoded MZ at offset 0xA962	68544 bytes
SHA-256: `2ac76b387bba13980de064fe0f53c6d1f04034760d30956f2897540973f92b5f`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.52, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.