Win.Trojan.DragonOK — RTF malware analysis

Static analysis result for SHA-256 c3b5503a0a89fd2e…

MALICIOUS

RTF

224.1 KB Created: 2016-05-31 07:47:00
MD5: a4389b334e80bd96442138b2dd196209 SHA-1: 10c1fd3c31c77a7fc99b68d28e541260da50c4ee SHA-256: c3b5503a0a89fd2eae9a77ff92eef69f08d68b963140b0a31721bb4960545e07
202 Risk Score

Malware Insights

Win.Trojan.DragonOK · confidence 95%

MITRE ATT&CK
T1059.003 Windows Command Shell

The RTF file contains embedded OLE objects and triggers heuristics related to suspicious cmd.exe invocation and OLE object data. The critical ClamAV detection identifies it as Win.Trojan.DragonOK and notes an exploit for CVE-2015-1641. The embedded command 'cmd.exe /c reg delete "HKCU1.0" /Fp' suggests an attempt to disable defenses or remove persistence.

Heuristics 6

  • ClamAV: Win.Trojan.DragonOK-5580506-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.DragonOK-5580506-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00007d20.bin
27dedb23bebf4c25762971c4eb486b0f3873347bf82424ea00f742257e85dac5		 rtf-objdata-decoded RTF \objdata at offset 0x7D20 53 bytes
objdata_01_off00007de2.bin
37fe51c7686c0a83ff80b6afc2bb18b81e1d2d11ee60563d4a3d842301cb1025		 rtf-objdata-decoded RTF \objdata at offset 0x7DE2 14385 bytes
Detection
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.