Rtf.Dropper.Agent-9965975-1 RTF malware analysis — malicious · 833be6984818d33f

MALICIOUS

RTF

72.1 KB Created: 2011-03-08 15:54:00 First seen: 2012-10-11

MD5: 46e088243439fefdba283a7b08903ff3 SHA-1: e1d0592f0bce0f5e4aea077780d4947bbaad7228 SHA-256: 833be6984818d33f5159c516018b89fee25bd6809000cfeaef773169918afdff

182 Risk Score

Malware Insights

Rtf.Dropper.Agent-9965975-1 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains a critical heuristic indicating a stack overflow vulnerability (CVE-2010-3333) and an embedded PE file. This suggests the document is designed to exploit this vulnerability upon opening, leading to the execution of the embedded payload. The ClamAV detection name further supports its classification as a dropper.

Heuristics 4

CVE-2010-3333 — pFragments RTF stack overflow critical CVE exact CVE_2010_3333

RTF shape property pFragments has an oversized value, matching the CVE-2010-3333 stack-overflow trigger in Microsoft Word 2002/2003.
ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_rtf_0000b03d.exe`	embedded-pe	RTF hex-encoded MZ at offset 0xB03D	14336 bytes
SHA-256: `d99f6dbed82a91fec712372e290cdfc07a44513a1c136c8e5bbb23f4e7128e07`

Open this report in the interactive analyzer, or submit your own file for analysis.