RTF malware analysis — malicious · 62d38f19e67013ce

MALICIOUS

RTF

942.8 KB

MD5: 994a67d5d6341173ad95bc6f5d795fd0 SHA-1: fa84ee006b205f105df40dd2abcf238653f8cef0 SHA-256: 62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object, identified by the RTF_OBJDATA heuristic. The SC_XOR_ENCODED heuristic suggests that strings within the file, likely related to the embedded object's functionality, are obfuscated. ClamAV detection as Rtf.Dropper.Agent-7667313-0 further confirms its malicious nature as a dropper. The embedded object is likely a secondary payload designed to be executed.

Heuristics 4

XOR-encoded strings (key 0xF3) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xF3: 'advapi32.dll', 'advapi32.dll'
ClamAV: Rtf.Dropper.Agent-7667313-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Dropper.Agent-7667313-0
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00008138.bin` `99028b9d55e1289dd10db07a75c04bdbac5cf2fae07717c1d298ae08faf58779`	rtf-objdata-decoded	RTF \objdata at offset 0x8138	5686 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.