MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains OLE objects and has triggered critical heuristics for ClamAV detections related to CVE-2015-1641. This indicates the file is designed to exploit a known vulnerability for client execution. The embedded OLE objects and the nature of the exploit suggest it's likely delivered as a spearphishing attachment, aiming to download and execute a secondary payload.
Heuristics 5
-
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.CVE_2015_1641-6397417-0
-
OLE object data medium RTF_OBJDATARTF contains 4 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.dnd.gov.ph/ In RTF body
- http://www.afp.mil.ph/index.php/homepageIn RTF body
- http://www.navy.mil.ph/In RTF body
- http://www.paf.mil.ph/In RTF body
- http://www.army.mil.ph/In RTF body
- http://www.coastguard.gov.ph/In RTF body
- http://www.ndrrmc.gov.phIn RTF body
- http://www.ndcp.edu.ph/In RTF body
- http://www.dilg.gov.phIn RTF body
- http://pctc.gov.ph/In RTF body
- http://pnp.gov.ph/portal/In RTF body
- http://www.doj.gov.ph/index.htmlIn RTF body
- http://www.nbi.gov.phIn RTF body
- http://www.iacat.net/In RTF body
- http://www.osg.gov.phIn RTF body
- http://opapp.gov.ph/In RTF body
- http://www.ddb.gov.phIn RTF body
- http://www.pdea.gov.phIn RTF body
- http://www.pms.gov.ph/In RTF body
- http://www.pnri.dost.gov.ph/In RTF body
- http://www.comelec.gov.ph/?r=AboutCOMELEC/OrganizationalInfo/ContactInformation/MainOfficeIn RTF body
- http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000001f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1F | 53 bytes |
SHA-256: 27dedb23bebf4c25762971c4eb486b0f3873347bf82424ea00f742257e85dac5 |
|||
objdata_01_off000000e1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE1 | 50737 bytes |
SHA-256: fa8fa143ec5e1c13d6fc47ea2c648d3170d0198df673aa93d3061b30b6962788 |
|||
objdata_02_off000193cc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x193CC | 31281 bytes |
SHA-256: 43d09ede2f45c345e4c4f81b07c63d22c3263a033a48a64587717765efb77fe9 |
|||
|
Detection
ClamAV:
Doc.Exploit.CVE_2015_1641-6397417-0
Obfuscation or payload:
likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
|
|||
objdata_03_off00028c57.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28C57 | 50737 bytes |
SHA-256: 23359808b0323878be921ef6997fdbb95ee1a65f135ae7d01561575673843b6b |
|||
|
Detection
ClamAV:
Win.Exploit.Call4_Dword_Xor-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.