MALICIOUS
282
Risk Score
Heuristics 8
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1002KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 18 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
- https://domvoting-my.sharepoint.com/personal/yash_dave_dominionvoting_com/Documents/Desktop/Financial%20Statements%202020/DIH%20Consolidated%20Draft%20FS%20FYE%202020%20v1.xlsxIn RTF body
- https://domvoting-my.sharepoint.com/personal/yash_dave_dominionvoting_com/Documents/Desktop/Financial%20Statements%202020/DIH%In RTF body
Extracted artifacts 18
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000d72f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD72F | 30712 bytes |
SHA-256: 4614a356cde69fad0b2f9698aeb7b7bf96a969364735cf69807210b07ff408ef |
|||
objdata_01_off0002378f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2378F | 47490 bytes |
SHA-256: 72c7128e7f4fc36573e32478003d09c720e9bf6d9ef68a1d5810f0658daa5964 |
|||
objdata_02_off00063945.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x63945 | 19196 bytes |
SHA-256: 5e979f5294aba1c3db3986da48e9fb3b3b5b2433d36210efbea25e2872dc7a94 |
|||
objdata_03_off00071065.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x71065 | 27952 bytes |
SHA-256: 7b53c53287feca1d62da6dc5f1cd88cca82c4427d915004d357825c06f8858bf |
|||
objdata_04_off00097bac.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x97BAC | 28268 bytes |
SHA-256: a01a84216c4c65945b60993c67d6cb4d26b8ea52b9fad8d75ae371660dd0cc21 |
|||
objdata_05_off000abdaa.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xABDAA | 51347 bytes |
SHA-256: f82a59c486056f5cd77b4c6163d76d6f8d352e1f907f090804861b787a1bf20a |
|||
objdata_06_off001003af.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1003AF | 6022 bytes |
SHA-256: c32b4a8cd0059ade99799aadab4cbcc2273c1b0c542a819c90923acbb92cbcb6 |
|||
objdata_07_off0010a989.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x10A989 | 8082 bytes |
SHA-256: 962199a159a3e5a4e462a7371c2836e8f3632736c01f78764da518e1cb65d3ec |
|||
objdata_08_off0010fbdb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x10FBDB | 2056 bytes |
SHA-256: 014c8ac257c2faaf0ff8ab0131948ca59cb6409d03a383138ba470c8cdf4d790 |
|||
objdata_09_off001124e2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1124E2 | 14010 bytes |
SHA-256: 80b9a77362c6364d5cbce02ad2f2a26bc9dfb7e13ef39ccc9f256e144dccdc00 |
|||
objdata_10_off0011b02d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x11B02D | 2932 bytes |
SHA-256: 5f71abfeb07d01204c318e698c0c0d16929ff3b1ec937da87977095f016cbaf1 |
|||
objdata_11_off0011e2dd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x11E2DD | 2721 bytes |
SHA-256: ea31689c2726c81d2762c1b01a710faab9167a231e0a8480834161d7b3074003 |
|||
objdata_12_off00121f63.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x121F63 | 9354 bytes |
SHA-256: a9e4bdd9a360139df91af63da0ebe97add16751f4622d58d7f210c735560d038 |
|||
objdata_13_off00127972.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x127972 | 2373 bytes |
SHA-256: ac7246e8d6b293be9ae7e464a2362be488ca43198eb000282158a8a8329473c2 |
|||
objdata_14_off0012a86a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12A86A | 11740 bytes |
SHA-256: 038840586f0d1392ed73bbe8cb63f9036ab471a66a17fbf0a823327a92f1cc3d |
|||
objdata_15_off00131c05.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x131C05 | 2321 bytes |
SHA-256: 534aefca2533f2c6fb8b8ecbcb2f0bfcae165e325cb96878ebf0592083aad42a |
|||
objdata_16_off00134602.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x134602 | 2197 bytes |
SHA-256: b659fbe9646ba328da2370309a6fef23a65349958ebd0fb380c2a50fe97f6f9a |
|||
objdata_17_off001483e1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1483E1 | 34157 bytes |
SHA-256: b095bca4b851bf9da84401cfcf08515dde525888d2cb3d40d178db03b970c18d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.