RTF / .DOC malware analysis — malicious · a48643ef2e37c9b1

MALICIOUS

RTF / .DOC

102.9 KB Created: 2010-04-27 10:47:00

MD5: 8f998620108ee5495f2c48120ff0332d SHA-1: 151b73de4d0a227a5142c9e14b3e7299a044a30f SHA-256: a48643ef2e37c9b19159d1d74d81e0f7bc10e86c17721c4772699f8c40a6f261

260 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF file contains embedded OLE objects, including a PE header, which is a strong indicator of malicious intent. ClamAV signatures confirm this, identifying it as a trojan dropper. The document body text, while seemingly innocuous, is likely a lure to encourage the user to interact with the embedded malicious content.

Heuristics 6

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
ClamAV: Win.Trojan.Dropper-11394 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Dropper-11394
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00001129.bin` `cfa2024980a6208b0cc598835c3fb67724cb821a7daad1ee569031c83badaa58`	rtf-objdata-decoded	RTF \objdata at offset 0x1129	45870 bytes
Detection ClamAV: Win.Trojan.Dropper-11394 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.