Malicious RTF — malware analysis report

Static analysis result for SHA-256 2692109849be3e8e…

MALICIOUS

RTF

612.7 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2014-10-14
MD5: bef9901da1899a4b0a2c6311543f39a1 SHA-1: 843fbf1a410cd38a5f1a345e102ae596f9727a92 SHA-256: 2692109849be3e8edb225a676bf9681258627c6b1e1802c8db83057036a4270e
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, including a package object, which is a strong indicator of malicious intent. ClamAV specifically detects this file as Doc.Exploit.CVE_2012_0158-6826115-0, confirming the exploitation of CVE-2012-0158. This exploit allows for client-side execution of arbitrary code, likely to download and run a secondary payload.

Heuristics 6

  • ClamAV: Rtf.Exploit.CVE_2012_0158-6817728-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2012_0158-6817728-0
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000010f.bin rtf-objdata-decoded RTF \objdata at offset 0x10F 96080 bytes
SHA-256: 264b90d030efbbb1f8d9c7609fae269bc26ca83b0a1ae037b2a79a6a77e39bc1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.70, consistent with packed or encrypted content.
objdata_01_off000302d4.bin rtf-objdata-decoded RTF \objdata at offset 0x302D4 166961 bytes
SHA-256: 2e40fb98fd78ff8dd1d8f406a3e848a83af1cbd58f34e0ab8bd90de5bb3136a7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.
objdata_02_off00083c1e.bin rtf-objdata-decoded RTF \objdata at offset 0x83C1E 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_03_off00083fb4.bin rtf-objdata-decoded RTF \objdata at offset 0x83FB4 4824 bytes
SHA-256: ec24e19b83744d4e09d7c36843abb0f2ffc842a24c56e78b73a6e6bc0e097beb
objdata_04_off00084348.bin rtf-objdata-decoded RTF \objdata at offset 0x84348 2351 bytes
SHA-256: 481f603d3535dcf51c5c8032fb185aab10dcd87c09b91eb447f23154307605a4