Win.Trojan.Cycler-383 RTF / .DOC malware analysis — malicious · df3114ecbae7987b

MALICIOUS

RTF / .DOC

114.0 KB Authoring application: Msftedit 5.41.15.1515

MD5: c4937f52fe0489f1db96137c2db3e807 SHA-1: ab5cc587109e12d2f91e3d2dddacf517c73c65c7 SHA-256: df3114ecbae7987b065c266d80a079790b0c76829c65b659f778474d7c885c45

260 Risk Score

Malware Insights

Win.Trojan.Cycler-383 · confidence 95%

MITRE ATT&CK

T1559.001 Component Object Model T1204.002 Malicious File

The RTF document contains an embedded OLE object, which in turn contains a PE header. ClamAV signatures identify this as Win.Trojan.Cycler-383. This suggests the RTF is a container for a malicious executable payload.

Heuristics 6

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
ClamAV: Win.Trojan.Cycler-383 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Cycler-383
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000c3.bin` `7cdfed3bb7a0497a30436bc646d9bda877078aab262e6596eaa4bf8680706ad0`	rtf-objdata-decoded	RTF \objdata at offset 0xC3	53038 bytes
Detection ClamAV: Win.Trojan.Cycler-383 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.