Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 03f8e27f39e345ba…

MALICIOUS

RTF / .DOC

205.2 KB
MD5: b6cc532d63d79646568419f740bc79de SHA-1: 0fedf0f9ed7fb1168b92e4ff67b49812864215cc SHA-256: 03f8e27f39e345bac00b9cb1ecfd148ffe12828f4de774ab8920755baf8687b8
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains an OLE object, indicated by the RTF_OBJDATA heuristic. The SC_XOR_ENCODED heuristic suggests that strings within the file are obfuscated, likely to hide malicious code or URLs. This combination points to an attempt to exploit vulnerabilities or deliver a secondary payload, commonly seen in spearphishing attachments.

Heuristics 3

  • XOR-encoded strings (key 0xF3) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xF3: 'advapi32.dll', 'advapi32.dll'
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c688.bin
f3684bc8f950262d8028d3aa39ed8ba73b4ac2a99953e9e5a299dde7f51440c3		 rtf-objdata-decoded RTF \objdata at offset 0xC688 5686 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.