MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains OLE objects that are automatically linked and updated, triggering the execution of embedded code. A URL Moniker related heuristic indicates that the OLE object attempts to download a payload from the obfuscated URL. ClamAV identifies the file as Rtf.Dropper.Agent-6827592-0, suggesting a dropper functionality.
Heuristics 5
-
URL Moniker in RTF OLE object high RTF_URL_MONIKER_RELATEDRTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
-
ClamAV: Rtf.Dropper.Agent-6827592-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Dropper.Agent-6827592-0
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000546a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x546A | 9477 bytes |
SHA-256: 080880572caf871be5175fdf2273d0197d87b5cd617a230b1b22beef9ccf550d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.