MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF file contains multiple OLE objects and triggers critical heuristics for CVE-2017-8570 and ClamAV's Rtf.Exploit.CVE_2017_0199-6335035-0 detection. This indicates the file is designed to exploit these vulnerabilities, likely to execute a secondary payload such as a script. The document body content appears to be color codes and product numbers, which is likely a lure or obfuscation.
Heuristics 7
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
OLE object data medium RTF_OBJDATARTF contains 15 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
- http://at-share.anntaylor.com/sites/labdiptracking/Shared%20Documents/Corporate%20Color%20Chart/Corporate%20Color%20Chart.xlsxIn RTF body
Extracted artifacts 15
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003884.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3884 | 4137 bytes |
SHA-256: 8ceedecbcd87a7b56530b3353bb2b2d8cbe113023e740962617ad2f109883c83 |
|||
objdata_01_off000063c7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x63C7 | 4137 bytes |
SHA-256: 25774a5f3bfaaeaa85d40c557e7a37b4665e67954f68d6db1c6a6c2005143e73 |
|||
objdata_02_off000090a0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x90A0 | 4137 bytes |
SHA-256: b86410a6cb7eff00a5d8e2c5ad9274825e22f7f01bf83dfce4de998d7869319a |
|||
objdata_03_off0000bcb8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBCB8 | 4137 bytes |
SHA-256: 525300095a4462a055cfb9b0828f46c7158c4c41e241abaa1a3e4c370b4dc1de |
|||
objdata_04_off0000e8ca.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE8CA | 4137 bytes |
SHA-256: 68ee7282168ad8dd04e3e9818900a44611ed63e56617fa4779c3d317f2a19c3d |
|||
objdata_05_off00011c1c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x11C1C | 4137 bytes |
SHA-256: 9edf9d0287e7c69b6ab3a692c19abc5a7e4728788a6f2b8ad0187e0145fc8d09 |
|||
objdata_06_off0001483b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1483B | 4137 bytes |
SHA-256: 28b9a401de81747b2ffb349f694a4a99438bf0032d65512ee7faa4bfd7228575 |
|||
objdata_07_off000173dc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x173DC | 4137 bytes |
SHA-256: 81f776699fab28d74199e3268ecee183a35dc56a8b05812e5d8222285d0b815f |
|||
objdata_08_off00019f26.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x19F26 | 4137 bytes |
SHA-256: 8b1ddee0cd75c9c42863002667311cc0601e4a555da9640832a4a8b423cecbe9 |
|||
objdata_09_off0001cac7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1CAC7 | 4137 bytes |
SHA-256: 416a4706dabc5b2684f50e8102c563499c991171c98c7bf4d506942422579e0d |
|||
objdata_10_off0001fd30.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1FD30 | 4137 bytes |
SHA-256: f68cdd6fd2f59230a8a515a53f81fa89688b8a8dbeddf97a86dc252062be8122 |
|||
objdata_11_off000228cf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x228CF | 4137 bytes |
SHA-256: 0ed3290d0e1ba6e7ea714b53ac9720d098d1d9f8a7b617e2bb580994ceec4b11 |
|||
objdata_12_off0002546a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2546A | 4137 bytes |
SHA-256: 22830ccde31145e1215610c74c11eb5608126ef203fc39597e2b405a040241ea |
|||
objdata_13_off00027fb5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x27FB5 | 4137 bytes |
SHA-256: 6aef8061a9f191759d11aa4c9257500479566e99b230f4fe3211bc23878961d6 |
|||
objdata_14_off0002ab07.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2AB07 | 4137 bytes |
SHA-256: 1a5428e5f5e7286faa781ff8805369828fe941a081512fe37ecccb3ff9d9d74c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.