RTF malware analysis — malicious · b98cb6ac5c6018df

MALICIOUS

RTF

111.9 KB Authoring application: Msftedit 5.41.15.1515

MD5: 8e79cb1e31b9a529cd4ddd7bebc2ef30 SHA-1: f8ae6d742a338650473899a2e611539bd3285903 SHA-256: b98cb6ac5c6018dfccb7960f3250beb6333ef18b2999399cff7630845427150a

260 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model T1204.002 Malicious File

The RTF document contains an embedded OLE object which, upon extraction, reveals a PE executable. This is strongly indicative of a dropper or initial access mechanism. The presence of a PE header within the RTF's object data and ClamAV detections of 'Win.Trojan.Ransom-510' on both the RTF and the extracted artifact confirm the malicious nature and suggest a ransomware payload.

Heuristics 6

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
ClamAV: Win.Trojan.Ransom-510 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Ransom-510
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d2.bin` `b0b9651e01f5525fabe79cf1c218ac3bfc432a2cc2ac9769c4732abc93a3cbc5`	rtf-objdata-decoded	RTF \objdata at offset 0xD2	51966 bytes
Detection ClamAV: Win.Trojan.Ransom-510 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.