Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 77d76eb5491345ab…

MALICIOUS

RTF / .DOC

117.6 KB Authoring application: Msftedit 5.41.15.1507
MD5: 33df5e4a0ab79e1aa1c11c6fe2757c21 SHA-1: e20f00572487ec48a469854122034fc9db51c654 SHA-256: 77d76eb5491345ab7ba8dd0f53646e1a1db992030a950d81316a0e665232a1e4
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an RTF document identified by ClamAV as Win.Trojan.VB-24796. Static analysis revealed embedded OLE objects, specifically a package object, which are commonly used to deliver and execute malicious payloads. The presence of these indicators suggests the document is designed to exploit vulnerabilities or trick the user into executing malware.

Heuristics 5

  • ClamAV: Win.Trojan.VB-24796 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.VB-24796
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000169.bin
d5281c4cb3b9566a093df131dbde5d945416ae7cdd304707523513943bdbba64		 rtf-objdata-decoded RTF \objdata at offset 0x169 58221 bytes
Detection
ClamAV: Win.Trojan.VB-24796
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.