Malicious RTF — malware analysis report

Static analysis result for SHA-256 002aa27f885a41c0…

MALICIOUS

RTF

1.16 MB Authoring application: Riched20 10.0.17763 First seen: 2020-09-24
MD5: d7fe21a31639cb7fc530cf01b216db75 SHA-1: 51bd5efbe0b8655212ffae41f921a37be3d15af0 SHA-256: 002aa27f885a41c0108156bbd72c08479d7eb0fc7bcfd49a9cc490c1954c5e7e
300 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with ".objupdate" directives indicating an attempt to force activation. High heuristic scores for excessive hex data within these objects suggest a hidden payload. ClamAV detections of 'Xls.Malware.Stratos-7506050-0' on the main file and an extracted artifact further confirm malicious intent, likely involving exploitation for client execution.

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Stratos-7506050-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Stratos-7506050-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1064KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000113.bin rtf-objdata-decoded RTF \objdata at offset 0x113 74088 bytes
SHA-256: 0a8bf96a128f3c69686c7944a6f4666d6e2bde70dcc3f3f7b37b5ddaf5fc0394
Detection
ClamAV: Xls.Malware.Stratos-7506050-0
Obfuscation or payload: unlikely
objdata_01_off00025374.bin rtf-objdata-decoded RTF \objdata at offset 0x25374 74088 bytes
SHA-256: b72b392d0cef12651c491b3901325000d098baca139a6c437421e79d660b3a20
Detection
ClamAV: Xls.Malware.Stratos-7506050-0
Obfuscation or payload: unlikely
objdata_02_off0004a5d5.bin rtf-objdata-decoded RTF \objdata at offset 0x4A5D5 74088 bytes
SHA-256: a7f86cc6094c62ed81cfcd77b16c29feba0e962a94776e9c73b3ad22e013a633
Detection
ClamAV: Xls.Malware.Stratos-7506050-0
Obfuscation or payload: unlikely
objdata_03_off0006f836.bin rtf-objdata-decoded RTF \objdata at offset 0x6F836 74088 bytes
SHA-256: 90a700979cf0bec9d7150d8ecbd51ce6d658a0538be4296cf90063ff9aedc496
Detection
ClamAV: Xls.Malware.Stratos-7506050-0
Obfuscation or payload: unlikely
objdata_04_off00094a97.bin rtf-objdata-decoded RTF \objdata at offset 0x94A97 74088 bytes
SHA-256: 523e03f1470c36dffaf09c1cf12bfd4caa2cc69d13d831b69905dcf05eb0914a
Detection
ClamAV: Xls.Malware.Stratos-7506050-0
Obfuscation or payload: unlikely
objdata_05_off000b9cf8.bin rtf-objdata-decoded RTF \objdata at offset 0xB9CF8 74088 bytes
SHA-256: ebea87941586bac816cd0fd69572b880086bfd5feaec6895c22f38f0992d0d5b
Detection
ClamAV: Xls.Malware.Stratos-7506050-0
Obfuscation or payload: unlikely
objdata_06_off000def59.bin rtf-objdata-decoded RTF \objdata at offset 0xDEF59 74088 bytes
SHA-256: 922cee55be1b62f7180fe3a88e08eac22d995aa3a0d0dd07f4b112e152b3c6c5
Detection
ClamAV: Xls.Malware.Stratos-7506050-0
Obfuscation or payload: unlikely
objdata_07_off001041ba.bin rtf-objdata-decoded RTF \objdata at offset 0x1041BA 74088 bytes
SHA-256: 6d2b74c1bfdb28a77aeb961292d43b73a36de3324f22495ec6aa257714c5e28a
Detection
ClamAV: Xls.Malware.Stratos-7506050-0
Obfuscation or payload: unlikely