Malicious RTF — malware analysis report

Static analysis result for SHA-256 209b2f58e8928f9e…

MALICIOUS

RTF

447.4 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2014-07-31
MD5: e73c900258369f930367b38c74ea386c SHA-1: b10405a175b3d5df8810092ab0fec8a6677449f9 SHA-256: 209b2f58e8928f9eb796bed63dedb1e08eca2efdffc98f6ae2c0ab7b5c0f5ff5
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF file that contains embedded OLE objects and triggers heuristics for CVE-2014-1761 and CVE-2012-0158, indicating exploitation for client execution. The presence of OLE objects and the specific CVEs strongly suggest a malicious document designed to exploit these vulnerabilities upon opening.

Heuristics 6

  • CVE-2014-1761 — \listoverridecount large value (26112847940857370449405885673409503602111784280794777832934290349023843232909896375822393900277583421388878778333911111111200000000285293483488705430874425078757034875808754369295340574804543845224085780683347503493200) high CVE exact CVE_2014_1761
    RTF \listoverridecount value 26112847940857370449405885673409503602111784280794777832934290349023843232909896375822393900277583421388878778333911111111200000000285293483488705430874425078757034875808754369295340574804543845224085780683347503493200 far exceeds normal bounds — exploited by CVE-2014-1761 to trigger a heap corruption in Word; used in targeted attacks
  • ClamAV: Doc.Exploit.CVE_2012_0158-6826115-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2012_0158-6826115-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000107.bin rtf-objdata-decoded RTF \objdata at offset 0x107 8352 bytes
SHA-256: c4ff18e2c865ba60d2b571b632fdc1d19a68006ce6a57b0ab7439e34f25a7875
objdata_01_off00004446.bin rtf-objdata-decoded RTF \objdata at offset 0x4446 14939 bytes
SHA-256: d7664b7d968622eeaa3f4c65ff4ce164c38edfaf44cfc91bc214efdbe9dbedbc
objdata_02_off0000bc16.bin rtf-objdata-decoded RTF \objdata at offset 0xBC16 4827 bytes
SHA-256: 3c52a4811b30e9b9ecea66f391aecc3d28df4e9d04afc9da230d8711cbc775e5
objdata_03_off0000bfaa.bin rtf-objdata-decoded RTF \objdata at offset 0xBFAA 2355 bytes
SHA-256: 3797b6ebf96e36732093d5d3406d62a8f5d704b4072d3018c63591f7233a9b2f
objdata_04_off0000e559.bin rtf-objdata-decoded RTF \objdata at offset 0xE559 166961 bytes
SHA-256: cf4f06a1f59ef56fd1670c9db3ed085746ab79b9789189b51f1f597e1b308628
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.