Xls.Dropper.Agent-7648271-0 RTF malware analysis — malicious · d2d10a2174a73424

MALICIOUS

RTF

467.6 KB Created: 2019-01-07 23:54:00

MD5: dfc2fcca20e81347984e93504b287f1f SHA-1: 6ce788c47e47a4a5b03399036381fbdc95ef4af4 SHA-256: d2d10a2174a734249f9985a339b5b1ea0f975a4980892e9223dfe3add7a6cc42

180 Risk Score

Malware Insights

Xls.Dropper.Agent-7648271-0 · confidence 95%

MITRE ATT&CK

T1559 Component Object Model and Distributed Component Object Model T1559.001 Component Object Model

The RTF file contains multiple embedded OLE objects, with specific heuristics indicating the use of ".objdata" and ".objupdate" to force OLE activation. ClamAV detection identifies the file as 'Xls.Dropper.Agent-7648271-0', suggesting it's a dropper for an Excel-based payload. The presence of a package object class further supports the malicious intent of embedding and executing external content.

Heuristics 5

ClamAV: Xls.Dropper.Agent-7648271-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7648271-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 5 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000a80.bin` `d86ef93bd07e5670b561b98f184f11fb940659fa6bfc9a73bfa67bb504e8b6e7`	rtf-objdata-decoded	RTF \objdata at offset 0xA80	34875 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.