RTF malware analysis — malicious · 35d9082ce3c3d346

MALICIOUS

RTF

1.30 MB Created: 2018-01-14 20:18:00 First seen: 2018-10-13

MD5: a5e4ab0d1d6124f5660643ea96240d73 SHA-1: fc6589f9205ad72f55c48a16a9961afe7d80c04a SHA-256: 35d9082ce3c3d34639b73886246ab00a6ae0e4a95dbe4f91684f6c3ef415459b

264 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects with large amounts of hex-encoded data, a common technique for obfuscating malicious payloads. The presence of RTF_OBJUPDATE indicates that these objects are designed to be activated, likely leading to the execution of a dropped payload. ClamAV detections further confirm the malicious nature of the file and its extracted artifacts, suggesting it functions as a dropper.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6953139-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6953139-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1076KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 4 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00009e18.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x9E18	45627 bytes
SHA-256: `fbd1b639f8931cfa697b9d94df7476dbf451f727ec53f5521509ccfebd2a0abe`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.58, consistent with packed or encrypted content.
`objdata_01_off00055665.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x55665	45627 bytes
SHA-256: `74da2a871367ca4979cd7db7ea158efb0f8334ba6749c65826cf12727872437d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.58, consistent with packed or encrypted content.
`objdata_02_off000a0eb4.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xA0EB4	45627 bytes
SHA-256: `625c309d84e239f75c31caf2ddaa2ed32d068235fd137732a9fe1dff7c5ccbe4`
Detection ClamAV: Doc.Dropper.Agent-6953139-0 Obfuscation or payload: likely Carved artifact entropy is 7.58, consistent with packed or encrypted content.
`objdata_03_off000ec6ff.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xEC6FF	76347 bytes
SHA-256: `ddcbb1d978785c56e27dec707eb505c3b826d987f2d0c37515c2a17f95c88b04`
Detection ClamAV: Doc.Dropper.Agent-6952932-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.