Malicious RTF — malware analysis report

Static analysis result for SHA-256 093a3b1531b08b9c…

MALICIOUS

RTF

278.0 KB Authoring application: Riched20 10.0.17763 First seen: 2021-07-07
MD5: 18f71f8c8c61376ed6404e8a2833a7e9 SHA-1: ec2687565b7b7b8c926b82f6216568f9fc72f51f SHA-256: 093a3b1531b08b9cf657e8f456e5ec59798599a0b3b83b9208a8b4187d724deb
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains embedded OLE objects, indicated by the RTF_OBJDATA and RTF_OBJEMB heuristics. These objects are often used to deliver malicious payloads or exploit vulnerabilities within the application used to render the document. The document body text appears to be benign technical information, but the presence of OLE objects is a strong indicator of malicious intent.

Heuristics 3

  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000001f0.bin rtf-objdata-decoded RTF \objdata at offset 0x1F0 132935 bytes
SHA-256: ab72aeca4c847de19ef0d6ef46f3440ec5410617022e6417a064f8fe22d1dbbc

Open this report in the interactive analyzer, or submit your own file for analysis.