Rtf.Dropper.Agent-6974552-0 — RTF malware analysis

Static analysis result for SHA-256 7c955c9a0fac85ec…

MALICIOUS

RTF

218.0 KB Created: 2019-01-23 19:55:00 First seen: 2020-04-06
MD5: b546b4dc07e9a6d19ddfb815f6db67ea SHA-1: a9f790bb7a81e8a03726a49c2b68cf6232b943e2 SHA-256: 7c955c9a0fac85ecba916c8079f69d454dbdb661ac72a8c3ba762a07c2cc7376
182 Risk Score

Malware Insights

Rtf.Dropper.Agent-6974552-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains embedded OLE object data and an \objupdate directive, indicating an attempt to automatically activate the embedded object. ClamAV detected this as Rtf.Dropper.Agent-6974552-0, and static triage identified shellcode-related artifacts. This suggests the file is designed to drop and execute a secondary payload.

Heuristics 5

  • ClamAV: Rtf.Dropper.Agent-6974552-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-6974552-0
  • Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
    • https://bit.ly/2UNSWXIIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00027bd5.bin rtf-objdata-decoded RTF \objdata at offset 0x27BD5 1262 bytes
SHA-256: 151041f3298c139edb490de56aa6bb076503dc4393c3e56d58c3a568a5a3993e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered URL(s): https://bit.ly/2UNSWXI Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_STR_URLDOWNLOAD, SC_PEB_ACCESS Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, URLDownloadToFileA, CreateProcessA, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.