Malicious RTF — malware analysis report

Static analysis result for SHA-256 289a1152858f1066…

MALICIOUS

RTF

623.1 KB Authoring application: Riched20 100.0.17134
MD5: 70b3153afcb160be64e6ffd5c6f02fe0 SHA-1: 589207ba779f681f4ca4fb8911416a19b4f7f810 SHA-256: 289a1152858f1066f1451fc0e85f03160e37b85affcd40b89a669d08cbf19e77
240 Risk Score

Malware Insights

MITRE ATT&CK
T1559.002 Component Object Model Hijacking T1204.002 Malicious File

The RTF file contains multiple indicators of OLE object manipulation, including RTF_OBJDATA, RTF_OBJEMB, RTF_OBJUPDATE, and RTF_COMPOSITE_MONIKER_RELATED. The presence of RTF_MZ_HEX strongly suggests that an executable payload is embedded or will be dropped. The document body content appears to be a lure, discussing historical figures, which is unrelated to the malicious technical findings.

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000233d0.bin
998436ea9c199a58c1ce9faa5385b47b698f3999bb104bbb65f5d2416e01eb0f		 rtf-objdata-decoded RTF \objdata at offset 0x233D0 1375 bytes
objdata_01_off00023edc.bin
9de9b14c6b694e2e240b6f9d921d98a385711227cda5430de32344048215a2ae		 rtf-objdata-decoded RTF \objdata at offset 0x23EDC 108132 bytes
objdata_02_off000596e2.bin
b1a4fd73b2e9307f901e146183d7029f19941b61cae830d862f24de70f867e1e		 rtf-objdata-decoded RTF \objdata at offset 0x596E2 2633 bytes
objdata_03_off0005abd2.bin
e22438504c74c771e8fea1defa7b11fd77d30f9312c11f1c60af98f52d2e535d		 rtf-objdata-decoded RTF \objdata at offset 0x5ABD2 131503 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.