Win.Trojan.Lee-1 RTF malware analysis — malicious · 68d08db561345414

MALICIOUS

RTF

11.0 KB Authoring application: Msftedit 5.41.15.1515

MD5: f0887ad9732706fa9315b5b8d1a931b6 SHA-1: 04c699c976459524860df9d7e97c645973a9a093 SHA-256: 68d08db561345414a4a1c3544ecbee074fac64fdc134a533fa2b03a7fdf5fcdf

200 Risk Score

Malware Insights

Win.Trojan.Lee-1 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects, specifically a package object, which is a strong indicator of malicious intent. ClamAV signatures identify the file as Win.Trojan.Lee-1, a known trojan. The document body's instruction to 'double-click the image for better viewing' is a social engineering tactic to trick the user into executing the embedded malicious object.

Heuristics 5

ClamAV: Win.Trojan.Lee-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Lee-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d3.bin` `c580d46005a0dcb18a80e062e85b2795b59e8a0a9d22daf3ff207054738e2e7e`	rtf-objdata-decoded	RTF \objdata at offset 0xD3	5051 bytes
Detection ClamAV: Win.Trojan.Lee-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.