Win.Trojan.Flux-2 RTF / .DOC malware analysis — malicious · 8f26ccc877da363d

MALICIOUS

RTF / .DOC

61.0 KB

MD5: d37bcbb85803441661aafe5ba605108b SHA-1: b8073c344464f7938e5204dad34928aa394063f0 SHA-256: 8f26ccc877da363dd6824013afb3c386496ed2c695e19881998fcabbd989b7bc

260 Risk Score

Malware Insights

Win.Trojan.Flux-2 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File T1137.001 DLL Search Order Hijacking

The RTF file contains embedded OLE objects, one of which has a PE header. ClamAV signatures identify this as Win.Trojan.Flux-2. The presence of a PE header within an embedded object strongly suggests the document is a dropper for a secondary executable payload.

Heuristics 6

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
ClamAV: Win.Trojan.Flux-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Flux-2
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000a5.bin` `629122af1e2f979c32abeb85e6d76397b33573478115857b02b50fd761ab8dfb`	rtf-objdata-decoded	RTF \objdata at offset 0xA5	26622 bytes
Detection ClamAV: Win.Trojan.Flux-2 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.