Win.Trojan.Bifrose-8791 RTF malware analysis — malicious · 877895cd9a065f3b

MALICIOUS

RTF

267.0 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2021-06-20

MD5: b6cd9a56f4cef46a5def9e957b4e79d7 SHA-1: add12d693d0a7cdd5625b77bcbff5cf9d1e2b3e3 SHA-256: 877895cd9a065f3be15d0bf4ee4fb5cf84baa068151ee9ee1d70b59c97d7ae85

260 Risk Score

Malware Insights

Win.Trojan.Bifrose-8791 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects, including a package object, and critically, a PE header within its hex data. ClamAV detections identify the file as Win.Trojan.Bifrose-8791, with a specific detection on an extracted artifact. This suggests the RTF is a container for a malicious executable, likely delivered as a spearphishing attachment.

Heuristics 5

ClamAV: Win.Trojan.Bifrose-8791 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Bifrose-8791
PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d8.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xD8	131092 bytes
SHA-256: `64ba31865b1b244eb09a0757c3c2a9852767780c198edafd7b264ff7aa94a8e3`
Detection ClamAV: Win.Trojan.Bifrose-8791 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.