MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple OLE object data sections and embedded OLE objects, indicated by the RTF_OBJDATA, RTF_OBJEMB, and RTF_OLE10NATIVE_STREAM heuristics. This strongly suggests the file is designed to exploit vulnerabilities associated with OLE object handling or to embed and execute malicious content. The document body appears to be templated data related to property viewing, which is likely a lure.
Heuristics 4
-
Ole10Native stream in RTF OLE object high RTF_OLE10NATIVE_STREAMRTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00000d2f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD2F | 163940 bytes |
SHA-256: 618e2a7362e17c5a4fb6e4cb601c8216ea9d69df5bb0d7f15bf5105262395930 |
|||
objdata_01_off000698bb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x698BB | 29799 bytes |
SHA-256: f0182bef585f533c8a32f790eb0c7945a98c5b7e2bd8f55252cdcfb9a6c2df4a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.