Malicious RTF — malware analysis report

Static analysis result for SHA-256 682e7f4053a133c8…

MALICIOUS

RTF

1.17 MB Authoring application: Msftedit 5.41.15.1507 First seen: 2015-09-23
MD5: 6e752a28a3d4f61fb158099beab88f90 SHA-1: d8c18216e718401d37a81674d4f4bb95f16742c6 SHA-256: 682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191
242 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, including a Package object and excessive hex data, indicative of a hidden payload. ClamAV specifically identifies this as Rtf.Exploit.CVE_2012_0158-6817728-0, confirming exploitation of a known vulnerability for client execution. The presence of embedded OLE objects and the nature of the detection strongly suggest this file is intended to be delivered as a malicious attachment.

Heuristics 8

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Rtf.Exploit.CVE_2012_0158-6817728-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2012_0158-6817728-0
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1138KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000010f.bin rtf-objdata-decoded RTF \objdata at offset 0x10F 388320 bytes
SHA-256: 43334bcc9f9f5b3cff4458f53d88fdab71a45deeb526eb59301ae3d9f9db15b4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.78, consistent with packed or encrypted content.
objdata_01_off000c2708.bin rtf-objdata-decoded RTF \objdata at offset 0xC2708 166961 bytes
SHA-256: f757c5da949aaf903c8baa9d3b71b6a19f35b5f35e83ab59fa4312034a3cf7e1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.
objdata_02_off00116052.bin rtf-objdata-decoded RTF \objdata at offset 0x116052 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_03_off001163e8.bin rtf-objdata-decoded RTF \objdata at offset 0x1163E8 4820 bytes
SHA-256: fa29f64c5f944bb242872d0d8668da1ac867d20966155603b909e90a88832198
objdata_04_off0011677c.bin rtf-objdata-decoded RTF \objdata at offset 0x11677C 2347 bytes
SHA-256: f180756a72c49ab825865be56755d2df3b56e2f8a2f1664890de39855704ceb9

Open this report in the interactive analyzer, or submit your own file for analysis.