RTF / .DOC malware analysis — malicious · 64aa3aea96e79c59

MALICIOUS

RTF / .DOC

78.1 KB Authoring application: Msftedit 5.41.15.1515

MD5: 5c37928e09daf1ee60404e095b789ca1 SHA-1: e6c0c9012ffdef2809bbce610284acdebbafe092 SHA-256: 64aa3aea96e79c59e98ffff1d4f23d0e4aa23d14b96fea9e393db201397943dd

260 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object which, when decoded, reveals a PE executable. Heuristics indicate this is a package object containing a DOS stub and PE header, and ClamAV identifies it as Win.Trojan.Clicker-3830. This suggests the document is a malicious attachment designed to trick the user into executing a secondary payload.

Heuristics 6

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
ClamAV: Win.Trojan.Clicker-3830 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Clicker-3830
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000cf.bin` `a6a27f062c47d0dfe3fea3d222c39614ecc79af905e88a13ac3c7e620a6a0e1a`	rtf-objdata-decoded	RTF \objdata at offset 0xCF	35131 bytes
Detection ClamAV: Win.Trojan.Clicker-3830 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.