Malicious RTF — malware analysis report

Static analysis result for SHA-256 71d4f574dc81dc15…

MALICIOUS

RTF

495.7 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2014-07-06
MD5: f1de85eddc45f229fb9e662080defc40 SHA-1: 0c9400436b6d2ec7839eda32f36ac945601b2eb3 SHA-256: 71d4f574dc81dc153bbc67709a985f2b9f67eaa5c37a293bc895d63eb3e7e9bb
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, with specific heuristics indicating exploitation of CVE-2012-1856 (MSCOMCTL.Toolbar) and CVE-2012-0158. These vulnerabilities allow for the execution of arbitrary code when the document is opened, likely leading to the download and execution of a secondary payload. The presence of these known exploits strongly suggests a malicious intent, likely delivered via spearphishing.

Heuristics 6

  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE related CVE_2012_1856
    RTF \objdata decodes to OLE data containing the MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000012e.bin rtf-objdata-decoded RTF \objdata at offset 0x12E 5853 bytes
SHA-256: 25bede2e15fc6d5f2254e69faa5db47243b34349407f5b33f244027374e535f0
objdata_01_off00003064.bin rtf-objdata-decoded RTF \objdata at offset 0x3064 224640 bytes
SHA-256: 02fb19682ca29a2295665e612229e4e706436167623c9f36b3174b369c60c757
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.59, consistent with packed or encrypted content.
objdata_02_off00073793.bin rtf-objdata-decoded RTF \objdata at offset 0x73793 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_03_off00073b29.bin rtf-objdata-decoded RTF \objdata at offset 0x73B29 4824 bytes
SHA-256: ada5540ecbc66cf46d59d120dbb4a3eb39eb4cf52ddd58f85185369cc5e7bf09
objdata_04_off00073ebd.bin rtf-objdata-decoded RTF \objdata at offset 0x73EBD 2368 bytes
SHA-256: ac301d958c025c40e28d1156d0c99f07250039c719d3e0b97f44167b5dd9293c

Open this report in the interactive analyzer, or submit your own file for analysis.