Malicious RTF — malware analysis report

Static analysis result for SHA-256 3603b05885f8ed33…

MALICIOUS

RTF

350.2 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2014-04-05
MD5: 414e1c94cb6a97a0e32dc921e2ae897f SHA-1: b12401bdb0915e14bba3ae097557f76ae3c8c1cd SHA-256: 3603b05885f8ed336866e4aacab5a9f4ad6f2f90ae2aa39031e96ddac529ba48
102 Risk Score

Heuristics 5

  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000010f.bin rtf-objdata-decoded RTF \objdata at offset 0x10F 8080 bytes
SHA-256: 2daa68f8a544a07498549f574e8d878c89714c670d9974fde10db9d6893180a7
objdata_01_off00004224.bin rtf-objdata-decoded RTF \objdata at offset 0x4224 166680 bytes
SHA-256: 51e423ada864162db23ed3847c756f4f8169f0aed9de00ed2f0882e6bbad4c3f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.