MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple indicators of exploitation, specifically related to CVE-2017-8570 and CVE-2017-0199, which are known to drop SCT scripts. The presence of OLE object data and composite monikers strongly suggests an attempt to execute arbitrary code. While the document body appears benign, the underlying exploit mechanism is clear.
Heuristics 7
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
OLE object data medium RTF_OBJDATARTF contains 30 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
- http://at-share.anntaylor.com/sites/labdiptracking/Shared%20Documents/Corporate%20Color%20Chart/Corporate%20Color%20Chart.xlsxIn RTF body
Extracted artifacts 30
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000038a9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x38A9 | 4137 bytes |
SHA-256: 360ada652c4a1f4e21631c5cc7ccf7610aeeff29fb726808d94b65e899a9298b |
|||
objdata_01_off000064b7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x64B7 | 4137 bytes |
SHA-256: 6c49898621153219b873ac97286c6ab2c02ef1e98193aa2fc3540388bcde9726 |
|||
objdata_02_off0000910f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x910F | 4137 bytes |
SHA-256: 2e4a20cb5a5a8f4b7b4599a452024214e70dd55f075ac958454cc621b57e6435 |
|||
objdata_03_off0000bda6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBDA6 | 4137 bytes |
SHA-256: 20a55e5b6c35cca070214cceb98a2a759496763e6abbdb46b739d663a34dab5d |
|||
objdata_04_off0000ea0e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xEA0E | 4137 bytes |
SHA-256: 72590a9939dd2f85d851cc57aeb5ad8a87b0178c8327e8fa6480093eb5879786 |
|||
objdata_05_off00011d60.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x11D60 | 4137 bytes |
SHA-256: 1b4b9e66e52234a5035a986e6bafa340c603d0af5d2b911426edb5e513dc533c |
|||
objdata_06_off0001497f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1497F | 4137 bytes |
SHA-256: 90d42d34e0937111d609a89328f3710d0d29aea78c17e433a79b183edf41727d |
|||
objdata_07_off00017520.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x17520 | 4137 bytes |
SHA-256: babba320339884974a6fdb8c7312c83a41d88523ae79011b3d48eaf1fc386c6e |
|||
objdata_08_off0001a06a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1A06A | 4137 bytes |
SHA-256: 2b069f8de9b5c1faa14ec18b881f8d8a6fd4f2bfd995049003abdd855d6567d4 |
|||
objdata_09_off0001cc0b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1CC0B | 4137 bytes |
SHA-256: b3bfb61d0abad565171322f39fdeb0f55319239891ce964289d63d05beb8d67b |
|||
objdata_10_off0001fe74.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1FE74 | 4137 bytes |
SHA-256: a4ac60628dc26f7ecdaa491bec777c6a249b5f45f032785812f7e7083e3490b6 |
|||
objdata_11_off00022a13.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x22A13 | 4137 bytes |
SHA-256: 336417f44a4cf82be25b5cc28e3e79d6220a5d6bf356f33c35469d6bba382420 |
|||
objdata_12_off000255ae.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x255AE | 4137 bytes |
SHA-256: b42d3d7353fe77346f1d08b7371cfeab52fa6a708ee0f187d855307357545ed3 |
|||
objdata_13_off000280f9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x280F9 | 4137 bytes |
SHA-256: 1087cc9e6716a15a14d7400077213f8a5841fb44c4e95d43c59835cbb4e9b163 |
|||
objdata_14_off0002ac4b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2AC4B | 4137 bytes |
SHA-256: 40475749465a672ccb50fdf0f894c5a2d181984a34df412ce46470e4d6554ce6 |
|||
objdata_15_off0002de28.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2DE28 | 4137 bytes |
SHA-256: 1c6c31b1f6d0028d467c1744d77dd58ff1d0cbd97c52639d84527a7266271509 |
|||
objdata_16_off000308e5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x308E5 | 4137 bytes |
SHA-256: a8d5975b45407fe6b5b63fd6962ffb3ac57cc6d33f440d15e191a1eb9f11e8c3 |
|||
objdata_17_off00033350.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x33350 | 4137 bytes |
SHA-256: 1d08f93e6f329b0be8356a75b73dbd0cbb377f8317661bee64103f5f8ed1b2d9 |
|||
objdata_18_off00035db9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x35DB9 | 4137 bytes |
SHA-256: 659472e50506898926ef327cacb3df66d2bf0967374e684f21498f9a52f877ec |
|||
objdata_19_off00038897.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x38897 | 4137 bytes |
SHA-256: cfd257015e35d2809d4d58b0410962f9863c393a031600363d969de189351ee7 |
|||
objdata_20_off0003baad.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3BAAD | 4137 bytes |
SHA-256: 1861d3ce5518f1f51822d61bf8e734a8bb046bb8e8d1e7984299dd472b902381 |
|||
objdata_21_off0003e5e3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3E5E3 | 4137 bytes |
SHA-256: 2231ffc15e9e1b8d27d701ccfdb67b23b2b744662bfa29c1b2187a8e1e13ec36 |
|||
objdata_22_off00041164.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x41164 | 4137 bytes |
SHA-256: 65f385986bcadfc8ac8430f605f01cdff8922a5febed82e72a01a3ea2622332c |
|||
objdata_23_off00043cfc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x43CFC | 4137 bytes |
SHA-256: a7bf8abbb4e5561842fdffa7f8f9939d988507f945bbab49bd6878d5c83d3e9c |
|||
objdata_24_off00046895.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x46895 | 4137 bytes |
SHA-256: 0f6dcde1c2aa4aba089cc107573c01e8fd42bbe0e790b47bfddf0ca50d074b0b |
|||
objdata_25_off00049a98.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49A98 | 4137 bytes |
SHA-256: 0d62ff8fda49f3fc9d178e7fadbdf699ef16ebd939223745c1b9c928d2d483ea |
|||
objdata_26_off0004c62e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4C62E | 4137 bytes |
SHA-256: 1ef3239429d4a3b0899a11d112440e134a6572a77ac1575a7b022badaed29acf |
|||
objdata_27_off0004f16b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4F16B | 4137 bytes |
SHA-256: 08e9674bb5c96f9fe6ef2ae9c52d8d53348298a6167783b1ab3d49eba502effb |
|||
objdata_28_off00051cfd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x51CFD | 4137 bytes |
SHA-256: c1af4f4e524921605e76fe804110c0370d8d98583022bcc3cc189ff831b60c82 |
|||
objdata_29_off0005488f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5488F | 4137 bytes |
SHA-256: 5c9688ab59c5e1feb1100bbb14ea6571115aa34e83bc413efb30282732c9b7ab |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.