MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF file contains a critical heuristic firing for CVE-2017-0199, indicating it is weaponized with a URL pointing to a malicious HTA payload. This exploit is used for client execution, likely leading to the download and execution of further malicious content. The embedded URL is the primary indicator of compromise.
Heuristics 6
-
CVE-2017-0199 (OLE2Link / weaponized URL) critical CVE exact CVE_2017_0199_WEAPONIZED_URLRTF contains a URL Moniker OLE link to a script/HTA/template-style remote loader, matching the tighter static CVE-2017-0199 shape.
-
ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://almahalliah.com/csc/htaonu.hta In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000269e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x269E | 4664 bytes |
SHA-256: 80a7b45c445cb420237ecbfcae6af54e9db8cfa1291d575ee60b0ca2e64b2ec6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.