Malicious RTF — malware analysis report

Static analysis result for SHA-256 53ae1444e8206f33…

MALICIOUS

RTF

471.8 KB First seen: 2015-06-09
MD5: ea20d11e52523d107699a5d829a30325 SHA-1: abcdb6f32ee84eb7a4e96bf345097f9ee49a52e5 SHA-256: 53ae1444e8206f330eb260f844f1bce6d6c25bda28b71df10a7db0bbba34b013
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document identified by ClamAV as Rtf.Exploit.Cve_2014_1761-2, indicating exploitation of CVE-2014-1761. Heuristics confirm the presence of OLE object data and XOR-encoded strings, commonly used to obfuscate malicious payloads. The exploitation likely leads to the execution of a secondary payload, although the specific download mechanism is not detailed in the provided evidence.

Heuristics 4

  • ClamAV: Rtf.Exploit.Cve_2014_1761-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.Cve_2014_1761-2
  • XOR-encoded strings (key 0xF3) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xF3: 'advapi32.dll', 'advapi32.dll'
    Disassembly
    Attempted x86 opcode disassembly
    0000EE44  92                xchg edx, eax
0000EE45  97                xchg edi, eax
0000EE46  8592839ac0c1      test dword ptr [edx - 0x3e3f657d], edx
0000EE4C  dd979f9f0080      fst qword ptr [edi - 0x7fff6061]
0000EE52  8799989a9bdb      xchg dword ptr [ecx - 0x24646568], ebx
0000EE58  91                xchg ecx, eax
0000EE59  99                cdq
0000EE5A  99                cdq
0000EE5B  009c90c9e38fcd    add byte ptr [eax + edx*4 - 0x32701c37], bl
0000EE62  97                xchg edi, eax
0000EE63  8f                .byte 0x8f
0000EE64  89cb              mov ebx, ecx
0000EE66  61                popal
0000EE67  d0359f39a600      sal byte ptr [0xa6399f], 1
0000EE6D  f695abfd10df      not byte ptr [ebp - 0x20ef0255]
0000EE73  6f                outsd dx, dword ptr [esi]
0000EE74  9f                lahf
0000EE75  7a97              jp 0xee0e
0000EE77  6ac0              push -0x40
0000EE79  1f                pop ds
0000EE7A  75a9              jne 0xee25
0000EE7C  649d              popfd
0000EE7E  9d                popfd
0000EE7F  e0df              loopne 0xee60
0000EE81  b652              mov dh, 0x52
0000EE83  aa                stosb byte ptr es:[edi], al
0000EE84  d6                salc
0000EE85  df                .byte 0xdf
0000EE86  ce                into
0000EE87  79c0              jns 0xee49
0000EE89  7b1c              jnp 0xeea7
0000EE8B  74e9              je 0xee76
0000EE8D  32f0              xor dh, al
0000EE8F  e6ed              out 0xed, al
0000EE91  755f              jne 0xeef2
0000EE93  ef                out dx, eax
0000EE94  7758              ja 0xeeee
0000EE96  d14ae2            ror dword ptr [edx - 0x1e], 1
0000EE99  91                xchg ecx, eax
0000EE9A  b740              mov bh, 0x40
0000EE9C  60                pushal
0000EE9D  c5                .byte 0xc5
0000EE9E  c9                leave
0000EE9F  4d                dec ebp
0000EEA0  16                push ss
0000EEA1  ec                in al, dx
0000EEA2  1a00              sbb al, byte ptr [eax]
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000080.bin rtf-objdata-decoded RTF \objdata at offset 0x80 14938 bytes
SHA-256: 43b38d2893b3e8f015394ec8b01b41c9a09ea082c5ef1e57531bb6c69ecca39e
objdata_01_off00007868.bin rtf-objdata-decoded RTF \objdata at offset 0x7868 5686 bytes
SHA-256: ad7105df08ae2e1fd0ab47f30e3cce6337c3e810b110fb3c76da50ee3f0dd4d0

Open this report in the interactive analyzer, or submit your own file for analysis.