Win.Trojan.Killav-28 — RTF malware analysis

Static analysis result for SHA-256 6f0b5a9a9091029a…

MALICIOUS

RTF

1.55 MB Authoring application: Msftedit 5.41.15.1507
MD5: c3942df653df24d434d831283919546d SHA-1: ebc3b139dd2ce5ccd04708896cfd166d58f9addd SHA-256: 6f0b5a9a9091029a16c68ee7844a4ca32877f75434a917dddc1c686ddf89c546
300 Risk Score

Malware Insights

Win.Trojan.Killav-28 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with one object exhibiting a high concentration of hex-encoded data. Critical heuristics identified a PE header within this hex data, strongly indicating the presence of an executable payload. ClamAV detections confirm this, identifying the file as Win.Trojan.Killav-28. The embedded artifacts are likely the delivered payload.

Heuristics 7

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • ClamAV: Win.Trojan.Killav-28 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Killav-28
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1516KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000d2.bin
0046d1eba343bd9f02118f2b07aa34b62dfd318d74d68a6a8a1f90c2232c3c3c		 rtf-objdata-decoded RTF \objdata at offset 0xD2 179423 bytes
Detection
ClamAV: Win.Trojan.Killav-28
Obfuscation or payload: unlikely
objdata_01_off000686b7.bin
be7482ba6534f2c87d32cb1a029e347e4fd5f765fb92e84b07fdf5e790c4c592		 rtf-objdata-decoded RTF \objdata at offset 0x686B7 530754 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.