Xls.Malware.Sload-7135989-0 — RTF malware analysis

Static analysis result for SHA-256 2a8fb09c696dffcd…

MALICIOUS

RTF

312.9 KB Authoring application: Riched20 10.0.17134 First seen: 2021-02-20
MD5: 4c8790499709bb6ce228ca0c99cfe86a SHA-1: 01c0512015b9f0f80173cc3ded25e384517b91b5 SHA-256: 2a8fb09c696dffcdbaaee03b8de29d39ccde55d33973f41d118989d9883966d7
220 Risk Score

Malware Insights

Xls.Malware.Sload-7135989-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, with heuristics indicating that \objupdate forces OLE activation. ClamAV detections identify the embedded content as 'Xls.Malware.Sload-7135989-0', suggesting it is designed to exploit vulnerabilities for client execution. The presence of OLE objects and the activation trigger strongly imply a malicious document intended for delivery via spearphishing.

Heuristics 5

  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000113.bin rtf-objdata-decoded RTF \objdata at offset 0x113 31136 bytes
SHA-256: 1d00df72b6a4921cee492187897b08de973612da584db4bdd810ad84e93d82df
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_01_off0000fb48.bin rtf-objdata-decoded RTF \objdata at offset 0xFB48 31136 bytes
SHA-256: db3e84648a6a6c7320891540fc7c874db3d1f9f5dbae9572ec23883c36639237
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_02_off0001f57d.bin rtf-objdata-decoded RTF \objdata at offset 0x1F57D 31136 bytes
SHA-256: 4d27bac0d9d04c4d997be702ec7d7320cdc60f652d246d6a8fe4e22829c1e2cd
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_03_off0002efb2.bin rtf-objdata-decoded RTF \objdata at offset 0x2EFB2 31136 bytes
SHA-256: ddbe1ae993ad9e36714c79fbc10b3cc82129cff3a5775e5384f0b021a69c1998
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_04_off0003e9e7.bin rtf-objdata-decoded RTF \objdata at offset 0x3E9E7 31136 bytes
SHA-256: 1c400f6e7614787ec7047f9e34c27988a86221563f1494540121396d4d1e37a1
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.