Win.Downloader.71077-1 RTF malware analysis — malicious · 7615b088a9271b60

MALICIOUS

RTF

126.4 KB Authoring application: Msftedit 5.41.21.2508 First seen: 2014-02-28

MD5: c72ce83e5419f1c27a6650be0413899d SHA-1: 88899c20a76d378af332d556792f55dd361e73d0 SHA-256: 7615b088a9271b605e5da9abc52ebd581b02ffa57748c7c0a15d1bf709aca6ae

260 Risk Score

Malware Insights

Win.Downloader.71077-1 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object which is identified as a PE executable by ClamAV. This suggests the file is a downloader, likely delivered as a spearphishing attachment, designed to execute a malicious payload. The embedded artifact is a Windows PE executable.

Heuristics 5

ClamAV: Win.Downloader.71077-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Downloader.71077-1
PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d2.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xD2	59167 bytes
SHA-256: `d4cc3678d3765766e0af7a0e364be8df12678223a36b481196f8862fd83a81e7`
Detection ClamAV: Win.Downloader.71077-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.