Malicious RTF — malware analysis report

Static analysis result for SHA-256 66de8e2f1d5ebbf3…

MALICIOUS

RTF

667.3 KB First seen: 2026-06-21
MD5: d5afa01d01ee54e8567d889f691fce8e SHA-1: 1bcb8314231b2346e22b5384947aee5b7500fd5e SHA-256: 66de8e2f1d5ebbf3f8c511d5cd6394e24be3c694e78d614dfe703f8aa198906f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects and triggers a critical ClamAV detection for Rtf.Exploit.CVE_2015_1641-6428461-0. This indicates the file is designed to exploit CVE-2015-1641, a known vulnerability in Microsoft Office RTF parsing, to achieve arbitrary code execution.

Heuristics 3

  • ClamAV: Rtf.Exploit.CVE_2015_1641-6428461-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2015_1641-6428461-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000048.bin rtf-objdata-decoded RTF \objdata at offset 0x48 42 bytes
SHA-256: d2baa014a3e1159f7ba45a58366b0fe0b45d6d922e2c8f2eefe0cfef4f605e3b
objdata_01_off0000020e.bin rtf-objdata-decoded RTF \objdata at offset 0x20E 49699 bytes
SHA-256: 62226a4709e64d2e316ac0626662ae7799e998ab0b386fc0151380704514deb3

Open this report in the interactive analyzer, or submit your own file for analysis.