Malicious RTF — malware analysis report

Static analysis result for SHA-256 34501bc22919c674…

MALICIOUS

RTF

318.6 KB Created: 2021-03-31 16:27:00 First seen: 2021-06-04
MD5: c0ba3027d32238e9c529fa3dfc11df26 SHA-1: 77f90b56b604308e8d2f2525f1fd99e488d5da1c SHA-256: 34501bc22919c674e5e56d054c744ea78aa4bfb8963aebb638a05a3641662cb5
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The RTF file contains a heuristic firing for remote template injection, indicating an attempt to download a template from a remote URL. The embedded URL, though benign, is present. The document body appears to be a medical report, likely a lure to disguise the malicious intent. The primary attack vector is likely spearphishing attachment, leading to the execution of malicious content.

Heuristics 4

  • Remote template injection (\*\template → remote URL) high CVE related RTF_REMOTE_TEMPLATE
    The RTF's \*\template destination is a remote URL/UNC path. When Word opens the document it fetches and loads that template, which can carry macros or an exploit, deliver a scriptlet/HTA, or leak NTLM credentials over UNC. Benign documents attach only a local template, so a remote \*\template target is template-injection delivery (MITRE T1221). remote \*\template target (Word fetches it on open).
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00008338.bin rtf-objdata-decoded RTF \objdata at offset 0x8338 5161 bytes
SHA-256: 70db1b4e021fac40a74baf7cc6e8b6bc570c564b48ee2062132f443ae17655e7