Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c6310bf62257271f…

MALICIOUS

RTF / .DOC

78.6 KB Created: 2010-03-29 09:44:00 Authoring application: Microsoft Word 10.0.6856
MD5: 28d23ade1b183eff37da2e271cc3d01c SHA-1: 56e55b17d7c8f25debbfe68b62b074677f5d0278 SHA-256: c6310bf62257271fbf29830dfe4d7217c15399eafcab0005c1b83bd27e5077a3
200 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF document contains an embedded OLE object, identified as a package object. Within this object, a PE header (MZ) was detected in hex data, indicating the presence of an executable. ClamAV also flagged this as Rtf.Dropper.Agent, suggesting it's designed to drop or execute malicious payloads. The SHA256 hash of the RTF file itself is provided as an IOC.

Heuristics 5

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000e57.bin
a10bac02dab58da431dea783a28eea9d30d0c3499962ac1602b3bae425d09017		 rtf-objdata-decoded RTF \objdata at offset 0xE57 34112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.