RTF malware analysis — malicious · 6eca5e559059a0b5

MALICIOUS

RTF

328.3 KB Created: 2013-05-08 11:29:00 First seen: 2015-09-24

MD5: 72b1179bbb3d0d3dafa4a2b2ff4de240 SHA-1: 964d60d1d3a93eb9004fe3fae3edc54933595fd5 SHA-256: 6eca5e559059a0b5fad64d99491fba92a4c0d612a25566411e61ff4bedea1a95

102 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The RTF file contains embedded OLE object data which, when analyzed, revealed a shellcode candidate region. This strongly suggests the file is designed to exploit a vulnerability and execute arbitrary code. The ClamAV detection further supports its malicious nature. No specific family could be identified from the available evidence.

Heuristics 4

ClamAV: Rtf.Trojan.Agent-1388623 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Trojan.Agent-1388623
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00007f90.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x7F90	7123 bytes
SHA-256: `dd686eb503da220abab4156b0f7d49ed56b03256132f58a578fdef27b2c40e86`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_PEB_ACCESS

Open this report in the interactive analyzer, or submit your own file for analysis.