Malicious RTF — malware analysis report

Static analysis result for SHA-256 17803d4ec11f2253…

MALICIOUS

RTF

195.3 KB First seen: 2019-01-11
MD5: ce409240e62da6c5a1df2e6823cfea50 SHA-1: 9ee4343e9ca79462632cd51325c0402b9cc80ae0 SHA-256: 17803d4ec11f2253a907ede1992b35cc23c6bb3640801933157490e2cbf6db52
200 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an RTF document containing embedded OLE objects, specifically triggering heuristics related to Equation Editor vulnerabilities. The critical ClamAV detection 'Rtf.Exploit.CVE_2018_0802-6825822-0' strongly indicates exploitation of CVE-2018-0802 via the Equation Editor. This technique allows for arbitrary code execution, likely as part of a spearphishing attachment campaign.

Heuristics 5

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2018_0802-6825822-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6825822-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000089.bin rtf-objdata-decoded RTF \objdata at offset 0x89 464 bytes
SHA-256: 2b5103f6deded26620a1784499ddf4205544f74f9d566301884660b870f90f56
objdata_01_off0002e1e3.bin rtf-objdata-decoded RTF \objdata at offset 0x2E1E3 4679 bytes
SHA-256: f8bfb193f9f11cf441a5c8a68b651c15a4340c7d97594e6e042cd1be19f59f20