Malicious RTF — malware analysis report

Static analysis result for SHA-256 3f5fd5a4954e0230…

MALICIOUS

RTF

838.6 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2014-11-01
MD5: 425e6e29a9a22a3c4fe523be0d50682e SHA-1: 06e15e42d9afbc5fa60f550a4e05d8465ac97962 SHA-256: 3f5fd5a4954e02301ae810fd9d8c885da9ce7afd13091dbf7a35bce58c4d7ed3
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF file containing embedded OLE objects, a common technique for exploiting vulnerabilities. ClamAV specifically identifies it as Rtf.Exploit.CVE_2012_0158-6817728-0, indicating exploitation of a known client-side vulnerability. The presence of multiple objdata sections further supports this, suggesting the file is designed to execute arbitrary code upon opening, likely to download and run a secondary payload.

Heuristics 6

  • ClamAV: Rtf.Exploit.CVE_2012_0158-6817728-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2012_0158-6817728-0
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000046a.bin rtf-objdata-decoded RTF \objdata at offset 0x46A 218072 bytes
SHA-256: b0e722c221e16d30dbe7d90e5da1d3db5385c3127ac477e00af8e8c0ade92d12
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.82, consistent with packed or encrypted content.
objdata_01_off0006d6ff.bin rtf-objdata-decoded RTF \objdata at offset 0x6D6FF 166961 bytes
SHA-256: 5e898c50877fa7a8d7304a03cbfcc21346097689b52708da69b5c1e11bd786f2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.
objdata_02_off000c1049.bin rtf-objdata-decoded RTF \objdata at offset 0xC1049 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_03_off000c13df.bin rtf-objdata-decoded RTF \objdata at offset 0xC13DF 4824 bytes
SHA-256: f8ffc6c15768986e9b35b48516bf53c8de694db47cb9f09f068e26eceb86bb4a
objdata_04_off000c1773.bin rtf-objdata-decoded RTF \objdata at offset 0xC1773 2351 bytes
SHA-256: 481f603d3535dcf51c5c8032fb185aab10dcd87c09b91eb447f23154307605a4

Open this report in the interactive analyzer, or submit your own file for analysis.