MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The RTF file contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The document body displays an error message, likely a social engineering tactic to trick the user into interacting with the embedded object. The SC_XOR_ENCODED heuristic suggests obfuscated content within the file, and ClamAV detected it as a Trojan Agent. While no scripts were directly extracted, the presence of an embedded OLE object and obfuscated strings points towards a malicious payload delivery.
Heuristics 5
-
ClamAV: Rtf.Trojan.Agent-1388623 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Trojan.Agent-1388623
-
XOR-encoded strings (key 0x3F) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0x3F: 'CreateProcessA', 'ShellExecuteW'
Disassembly
Attempted x86 opcode disassembly0003D887 7c4d jl 0x3d8d6 0003D889 5a pop edx 0003D88A 5e pop esi 0003D88B 4b dec ebx 0003D88C 5a pop edx 0003D88D 6f outsd dx, dword ptr [esi] 0003D88E 4d dec ebp 0003D88F 50 push eax 0003D890 5c pop esp 0003D891 5a pop edx 0003D892 4c dec esp 0003D893 4c dec esp 0003D894 7e4c jle 0x3d8e2 0003D896 6a4c push 0x4c 0003D898 5a pop edx 0003D899 4d dec ebp 0003D89A 683f3f3f3f push 0x3f3f3f3f 0003D89F 6c insb byte ptr es:[edi], dx 0003D8A0 57 push edi 0003D8A1 5a pop edx 0003D8A2 53 push ebx 0003D8A3 53 push ebx 0003D8A4 7a47 jp 0x3d8ed 0003D8A6 5a pop edx 0003D8A7 5c pop esp 0003D8A8 4a dec edx 0003D8A9 4b dec ebx 0003D8AA 5a pop edx 0003D8AB 7a47 jp 0x3d8f4 0003D8AD 683f3f3f6d push 0x6d3f3f3f 0003D8B2 5a pop edx 0003D8B3 5e pop esi 0003D8B4 53 push ebx 0003D8B5 6c insb byte ptr es:[edi], dx 0003D8B6 57 push edi 0003D8B7 5a pop edx 0003D8B8 53 push ebx 0003D8B9 53 push ebx 0003D8BA 7a47 jp 0x3d903 0003D8BC 5a pop edx 0003D8BD 5c pop esp 0003D8BE 4a dec edx 0003D8BF 4b dec ebx 0003D8C0 5a pop edx 0003D8C1 683f3f3f6c push 0x6c3f3f3f 0003D8C6 777d ja 0x3d945 0003D8C8 4d dec ebp 0003D8C9 50 push eax 0003D8CA 48 dec eax 0003D8CB 4c dec esp 0003D8CC 5a pop edx 0003D8CD 7950 jns 0x3d91f 0003D8CF 4d dec ebp 0003D8D0 7950 jns 0x3d922 0003D8D2 53 push ebx 0003D8D3 5b pop ebx 0003D8D4 5a pop edx 0003D8D5 4d dec ebp 0003D8D6 683f3f3f3f push 0x3f3f3f3f 0003D8DB 3f aas 0003D8DC 3f aas 0003D8DD 3f aas 0003D8DE 3f aas 0003D8DF 3f aas 0003D8E0 3f aas 0003D8E1 3f aas 0003D8E2 3f aas 0003D8E3 3f aas 0003D8E4 3f aas 0003D8E5 3f aas 0003D8E6 3f aas
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00007f90.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7F90 | 7096 bytes |
SHA-256: 920e09c6ba7144ac8b14bd7e582ddb2d55a2c6313bdd60f1a38f1819845742a0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_PEB_ACCESS
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.