RTF malware analysis — malicious · 222d4d5dce189ea9

MALICIOUS

RTF

1.26 MB Authoring application: Msftedit 5.41.21.2510 First seen: 2019-09-30

MD5: e1752174eed954d549058b5bd9c6ae2d SHA-1: a8e97885e4035f961533af844c4b7e161b0f3b50 SHA-256: 222d4d5dce189ea94825525a537615ebd372fdf17807b1491dd64dc581176bc3

442 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of exploitation targeting Microsoft Equation Editor, specifically related to CVE-2017-11882 and CVE_2018_0802. The presence of OLE object data, embedded OLE objects, and a PE header within hex data strongly suggests that the file is designed to deliver and execute a malicious payload. The ClamAV detection further confirms its malicious nature.

Heuristics 12

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED

RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
ClamAV: Rtf.Exploit.CVE_2018_0802-6624871-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6624871-1
PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1027KB of hex-encoded data inside \objdata sections — may hide a payload
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
OLE object data medium RTF_OBJDATA

RTF contains 12 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://www.youtube.com/watch?v=av4lbel9aIo In RTF body

Extracted artifacts 12

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000fae67.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xFAE67	106583 bytes
SHA-256: `e85143cc76626d7d343dfd339a8371680b98a3ceaa7325c4144847200e7d75bf`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`objdata_01_off0013178d.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x13178D	11936 bytes
SHA-256: `33d650c4fc244766044d933bf875cd85d4a9ac61caf26387e6f11e7b70c5a1d6`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.92, consistent with packed or encrypted content.
`objdata_02_off0013750b.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x13750B	4924 bytes
SHA-256: `9b3132abed34bb1995fec59755c8aea9a1a293c271f4e44929d1e054eb82e957`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.85, consistent with packed or encrypted content.
`objdata_03_off00139bc1.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x139BC1	8495 bytes
SHA-256: `541ab3d67c928c621447ed7927b4db533647b39236e422cc3830b679e53d4b40`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript.CreateObject('ADODB.Stream');var VLyHVJzX;iuxzf.Open();var hqgoHmawNUZzavJdGvHPRnMtteeANEF;iuxzf.Type=1;iuxzf.Write(huz);var jTavcuYLBiep;iuxzf.Position=0;var Carved artifact contains 5 shell/COM execution token(s).
`objdata_04_off0013de5d.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x13DE5D	318 bytes
SHA-256: `7c3a0f1596954f54aa38a73f247eb72de70b0c51c72d6f5e1ae5eb798cc91237`
`objdata_05_off0013e117.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x13E117	877 bytes
SHA-256: `7bcfb18857cb240b3bab6d6b5f5a89c12c518ac1adedaeab0b69311ccb8962f0`
`objdata_06_off0013e82f.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x13E82F	366 bytes
SHA-256: `f5f4e5a67631c9c0c35a6abbd531d0f86ead4082348e1696b9fc8808a6d10565`
`objdata_07_off0013eb49.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x13EB49	439 bytes
SHA-256: `ba191084f2bf5c95900ba5caed0c079db17079f311f3c499707e81c73be0fbdc`
`objdata_08_off0013eef5.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x13EEF5	1067 bytes
SHA-256: `686de0ec5c10485ee5872918976ca74b996daa69703d2efa59ca84450ff331cd`
`objdata_09_off0013f789.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x13F789	325 bytes
SHA-256: `10e483e6e7042bca49df9e0c47c2b056c63816045f1613a74bae1e20f0b0727a`
`objdata_10_off0013fa51.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x13FA51	316 bytes
SHA-256: `ecefd37d2ea5005dde8ba5d8ec476beb715dbba30229f25da679f04409a4a6f5`
`objdata_11_off0013fd18.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x13FD18	3980 bytes
SHA-256: `f4d786d811582767cf3ed047ea19104240ae318ac0769bce1ff9498067ca91ed`

Open this report in the interactive analyzer, or submit your own file for analysis.