Malicious RTF — malware analysis report

Static analysis result for SHA-256 11411a91de3d0eb8…

MALICIOUS

RTF

607.5 KB Authoring application: Msftedit 5.41.21.2510 First seen: 2014-03-22
MD5: 609cefa44b542ff634b439fc11b68faa SHA-1: 08f4896e9be36d7930a8bc47ce80c8869d64ee33 SHA-256: 11411a91de3d0eb89ba1b82280712b25f00407a9c1bbbc3041cf969aa53153d0
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, including a package object, which is a strong indicator of malicious intent. ClamAV specifically detects this file as Doc.Exploit.CVE_2012_0158-6826115-0, confirming the exploitation of CVE-2012-0158. This exploit allows for client-side execution of arbitrary code, likely to download and run a secondary payload.

Heuristics 6

  • ClamAV: Rtf.Dropper.Agent-7148329-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-7148329-0
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000f2.bin rtf-objdata-decoded RTF \objdata at offset 0xF2 4175 bytes
SHA-256: c021ca1e645b2287292bbabd5f9633b135fa02739e0f3f93fe3826fccf15db9a
objdata_01_off000022a7.bin rtf-objdata-decoded RTF \objdata at offset 0x22A7 282160 bytes
SHA-256: 875feaa3ac9a7f091eb403ff990caf873934841b343305b13c487cb4c7c8c0b8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
objdata_02_off0008f672.bin rtf-objdata-decoded RTF \objdata at offset 0x8F672 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_03_off0008fa08.bin rtf-objdata-decoded RTF \objdata at offset 0x8FA08 4824 bytes
SHA-256: de7b9db2fbb54450654fc4542f00c05eb18c472d21b0f47a5a659ddcdb771b01
objdata_04_off0008fd9c.bin rtf-objdata-decoded RTF \objdata at offset 0x8FD9C 2351 bytes
SHA-256: 3dc8420da6b994fd419d7cfdfc0367e347304c1db04969391dd1aee827839010

Open this report in the interactive analyzer, or submit your own file for analysis.