Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 69004947e8f597a0…

MALICIOUS

RTF / .DOC

245.4 KB Authoring application: Riched20 10.0.15063
MD5: ce26d6614c58131a59560f009e4c6ee9 SHA-1: 9d0bdea9572639fca66a65be946c12766f36fd47 SHA-256: 69004947e8f597a0c68c75e87444eb3973cfa26dc231dcd84fcc57ac13542dd4
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains multiple embedded OLE objects, indicated by RTF_OBJDATA and RTF_OBJEMB heuristics. The presence of RTF_OBJUPDATE suggests that these objects are designed to be activated automatically, likely leading to the execution of embedded malicious code. The file is classified as malicious, and the techniques observed point towards an exploit delivered as a document attachment.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000010d.bin
e56dfd08058fe843db1846cd0bf3c57f1ce9e4e7294d204d99e5c90a27741ecd		 rtf-objdata-decoded RTF \objdata at offset 0x10D 24398 bytes
objdata_01_off0000c542.bin
9ad00ae99b6f288adbedee8c3bbd0514e65af3e70f00234c80477140fc98ea58		 rtf-objdata-decoded RTF \objdata at offset 0xC542 24398 bytes
objdata_02_off00018977.bin
7cfa41eccb26dc5df3d5a0c75c66aec5a0e747628ee664fc26133a37d91d62bc		 rtf-objdata-decoded RTF \objdata at offset 0x18977 24398 bytes
objdata_03_off00024dac.bin
768ba66ecb321e44cf4dbfceefe6d04dcf05cc66fbc287a5d039cbc667cc86bf		 rtf-objdata-decoded RTF \objdata at offset 0x24DAC 24398 bytes
objdata_04_off000311e1.bin
eda5be3493b2af0f91789797345f3a36b7b9575c843ab7b45a64e266fb7ab514		 rtf-objdata-decoded RTF \objdata at offset 0x311E1 24398 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.