Buzus RTF / .DOC malware analysis — malicious · d47c6c0e80def9da

MALICIOUS

RTF / .DOC

75.0 KB Authoring application: Msftedit 5.41.15.1515

MD5: 865da837cfb7367c4217a890922746c7 SHA-1: a6164fa98d138e38b7e5b897c09c2cd31cc0d9b4 SHA-256: d47c6c0e80def9da636df838c395f03b8651fc7a6d116cdf24f0dbda71d05fd4

260 Risk Score

Malware Insights

Buzus · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The RTF file contains embedded OLE object data, specifically a Package object, which in turn contains a PE header. ClamAV detections identify this as Win.Trojan.Buzus-7508. This strongly suggests the RTF is a dropper designed to execute the embedded malicious binary.

Heuristics 6

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
ClamAV: Win.Trojan.Buzus-7508 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Buzus-7508
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d2.bin` `0eee49079f61499f33f922ac59d6a0c4c16a86890ea512abbbfdca23967fa9dc`	rtf-objdata-decoded	RTF \objdata at offset 0xD2	33547 bytes
Detection ClamAV: Win.Trojan.Buzus-7508 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.