RTF malware analysis — malicious · 61837a590a43f0cb

MALICIOUS

RTF

1.95 MB Authoring application: Msftedit 5.21.13.1337 First seen: 2016-11-10

MD5: de46a6c4f4f7b98698b3888f1543fc8f SHA-1: 0d98942fffa5204b44f31e7c782919402ae486ee SHA-256: 61837a590a43f0cb39e3954521dd2004ee6914085fd3ab71f4e5fe32158de463

144 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with a significant portion of the data being excessively hex-encoded. This strongly suggests that the file is a container for a malicious payload, likely intended to be delivered via spearphishing. The presence of composite monikers and presentation streams further supports the exploitation of OLE object handling for execution.

Heuristics 7

Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED

RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1717KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 5 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In RTF body
- http://purl.org/dc/elements/1.1In RTF body
- http://www.adobe.com/products/flexIn RTF body
- http://www.adobe.com/2006/flex/mx/internalIn RTF body
- http://adobe.com/AS3/2006/builtinIn RTF body

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000e8.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xE8	273232 bytes
SHA-256: `78bd432bb5fe8e8873a9737d6d6fee9962a13ce9186281f506d429bdbecb7ec7`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.85, consistent with packed or encrypted content.
`objdata_01_off00088d87.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x88D87	44 bytes
SHA-256: `14928c09e2381332bf524dfe75bb3e165f2bf3918aedfe4d4b2fb42bdfd494ce`
`objdata_02_off001a3816.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x1A3816	28265 bytes
SHA-256: `b192d105e4de886ecca2892a3489214553250bafe324924bb199498322dab8fa`
`objdata_03_off001b1bfb.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x1B1BFB	99923 bytes
SHA-256: `f11460cb29d09601eb9ab86aba1694c46b7fa6e205994719f4733e8a421ab302`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.62, consistent with packed or encrypted content.
`objdata_04_off001e3db1.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x1E3DB1	31792 bytes
SHA-256: `d45e003658b25803f6f3c692ee3626d6ccb2d8bf4c9e9cc1f848d7460b5a90ff`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.65, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.