MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple embedded OLE objects, with a significant portion of hex-encoded data within these objects. This strongly indicates the presence of a hidden payload, likely intended for execution. The document body itself appears to be a checklist related to regulatory text for pharmaceuticals, which is likely a lure to disguise the malicious nature of the file.
Heuristics 5
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1268KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00007f13.bin903fb31e2d861ea3321cc09913aa88253e75f30b8e5994bb642d91a63f06cbf2 |
rtf-objdata-decoded | RTF \objdata at offset 0x7F13 | 622388 bytes |
objdata_01_off0013e125.bin0f8384e5272254588377951e1e7564c479a19360f5c932a00fd16e0206de6506 |
rtf-objdata-decoded | RTF \objdata at offset 0x13E125 | 622388 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.