Malicious RTF — malware analysis report

Static analysis result for SHA-256 7e49b25c15a26dcd…

MALICIOUS

RTF

51.8 KB Created: 2016-08-26 12:10:00
MD5: 132a7a398b368381073d11a6d353a265 SHA-1: 5fafb914d9db147215c033249be872f899c3a218 SHA-256: 7e49b25c15a26dcdceaee3643b99c37d5de04ace04f505cb2f8ae31f8c4e7afb
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The RTF file contains an embedded OLE object, a common technique for delivering secondary payloads. The ClamAV heuristic identifies it as a dropper, and the presence of an unknown reputation URL suggests it is used to download a malicious executable. The embedded binary data, when decoded, likely contains the payload or instructions for its execution.

Heuristics 3

  • ClamAV: Rtf.Dropper.Agent-1662426 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-1662426
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://a.pomf.cat/nhjkkj.exe
    • http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00006c3e.bin
c8b8a6061b0070609ebb74e5ff4e18bffe9345834941fb837ce5c0ef51a97599		 rtf-objdata-decoded RTF \objdata at offset 0x6C3E 10901 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.