MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1027 Obfuscated Files or Information
The RTF file contains multiple embedded OLE objects, with significant hex-encoded data and a detected PE header within one of these objects. ClamAV identifies this as Rtf.Dropper.Agent-9965975-1, indicating its function as a dropper. The embedded artifacts are likely the payload intended for execution.
Heuristics 9
-
ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
-
PE header (with DOS stub) in hex data critical RTF_MZ_HEXHex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Package object class high RTF_OBJCLASS_PACKAGEOLE Package object — can wrap arbitrary files
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1684KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 3 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c27.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C27 | 257567 bytes |
SHA-256: 52d82fdef8164c508e1a4bdd9c1bbfeeac1d63f198a39443627823188b6a43d7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: kernel32.dll, shell32.dll, KERNEL32.DLL, GetProcAddress, ExitProcess
|
|||
objdata_01_off00086fe1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x86FE1 | 567608 bytes |
SHA-256: afe9a54a4ced7ad2b136a61223bee2097c90ca0f8ff84112cf6b6f7f76446db0 |
|||
objdata_02_off0019f86d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x19F86D | 1067 bytes |
SHA-256: fa8fe86b2ae8ac8fb733730018429e3b42b47b4aa04cc07e7041e2557bf14e39 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, NOP sled
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.