Rtf.Dropper.Agent-7145798-0 RTF malware analysis — malicious · c92b6e418793510e

MALICIOUS

RTF

14.3 KB First seen: 2018-09-04

MD5: a91e302ca1dcffce03d1cf07a6f721ae SHA-1: 1bf1255e02c8ab2a7d36f185148e99658cc7c7a6 SHA-256: c92b6e418793510eb0db9d284c4e92e9e7989bae9a23654ee70f282335ef4e64

160 Risk Score

Malware Insights

Rtf.Dropper.Agent-7145798-0 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit a vulnerability through an embedded OLE object. ClamAV detection confirms this as Rtf.Dropper.Agent-7145798-0, suggesting its purpose is to act as a dropper for further malicious activity.

Heuristics 4

Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM

RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
ClamAV: Rtf.Dropper.Agent-7145798-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Dropper.Agent-7145798-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000090a.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x90A	4133 bytes
SHA-256: `675df15bc31670ab911f046036378331afaeaddb3084f34c7a6f19a9554851b6`

Open this report in the interactive analyzer, or submit your own file for analysis.