RTF / .DOC malware analysis — malicious · e8e26ca7f3604796

MALICIOUS

RTF / .DOC

87.2 KB Authoring application: Msftedit 5.41.15.1515

MD5: 3758caa8e3b5207e36b6f3636eaa0b8f SHA-1: ae5463e6a13b7eef81191a032d9c21bb61e154c1 SHA-256: e8e26ca7f360479627535ce0162f21d94b4f4a8526710d338620a2e54e5cba16

260 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data, specifically identified as a package object. Critical heuristics indicate the presence of a PE header within this data, and ClamAV signatures confirm it as 'Win.Trojan.Agent-514729'. This strongly suggests the document is a delivery mechanism for a malicious executable.

Heuristics 6

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
ClamAV: Win.Trojan.Agent-514729 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-514729
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000c2.bin` `16356a8d1614ec4639e42695cd8c5c3dc447b59051b376dc8517fe99407ad3a9`	rtf-objdata-decoded	RTF \objdata at offset 0xC2	40199 bytes
Detection ClamAV: Win.Trojan.Agent-514729 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.