MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains embedded OLE objects, specifically a composite moniker, which is a common technique for exploiting vulnerabilities or delivering malicious content. The document body presents a seemingly benign email about report comments, likely a social engineering lure. The presence of OLE objects and the ClamAV detection strongly suggest malicious intent, likely involving exploitation of a vulnerability via the embedded object.
Heuristics 5
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-37
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00000c33.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC33 | 71356 bytes |
SHA-256: 331148f332ec2b0340ca74d6742121aaab6a12269a1ba00173d501250c103f37 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.