Xls.Malware.Stratos-7506050-0 — RTF malware analysis

Static analysis result for SHA-256 2dafb53afa3996d6…

MALICIOUS

RTF

8.44 MB Authoring application: Riched20 10.0.17763 First seen: 2020-09-07
MD5: e493e3907a59cd0a76449d282239a341 SHA-1: e65a3fd0eaf31f66e975763489c9214ef54b5984 SHA-256: 2dafb53afa3996d6b0a1c7bbd673dc9ae47bad80a1d5afe8de56e61d978e3855
240 Risk Score

Malware Insights

Xls.Malware.Stratos-7506050-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1137.003 DLL Side-Loading

The RTF file exhibits multiple high-severity heuristics related to embedded OLE objects, including excessive hex-encoded data and composite monikers, strongly indicating the presence of a hidden payload. The ClamAV detection name 'Xls.Malware.Stratos-7506050-0' further supports its malicious nature. The file's structure suggests it's intended to exploit OLE activation to execute a secondary stage.

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Stratos-7506050-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Stratos-7506050-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1770KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000106.bin rtf-objdata-decoded RTF \objdata at offset 0x106 863054 bytes
SHA-256: bddabb084338861686b6729d5714200e2398eb606f61d1602ba35620e5fba271
objdata_01_off001b0532.bin rtf-objdata-decoded RTF \objdata at offset 0x1B0532 863054 bytes
SHA-256: 740218b54f023ca792d1909bec4a1072cfede1ebea6eddd15d3e55beffabaa4e
objdata_02_off0036095e.bin rtf-objdata-decoded RTF \objdata at offset 0x36095E 863054 bytes
SHA-256: 2d826ad0f55576073383c2ecfbd4c5494d66cf3933dc104785435e16cc965004
objdata_03_off00510d8a.bin rtf-objdata-decoded RTF \objdata at offset 0x510D8A 863054 bytes
SHA-256: 6841e060dff21bfc9a2eed625d138a764fef9c57ce4f0e94e42116969c44b51c
objdata_04_off006c11b6.bin rtf-objdata-decoded RTF \objdata at offset 0x6C11B6 863054 bytes
SHA-256: 88828a10b3cbe0933f3a384a48fc3595ead1dd38a2e071d2870a183d561a00e1

Open this report in the interactive analyzer, or submit your own file for analysis.