Malicious RTF — malware analysis report

Static analysis result for SHA-256 74e0d21fe9edf7ba…

MALICIOUS

RTF

355.9 KB Authoring application: Msftedit 5.41.21.2510 First seen: 2014-03-02
MD5: 7791dd18bf586c6d551230d984aeb350 SHA-1: 8f48eb2871fffe97a6b87fb8f38930ca87007aa1 SHA-256: 74e0d21fe9edf7baf489e29697fff8bc4a6af811e6fe3027842fe96f6a00a2d9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, including a package object. ClamAV specifically detected this file as Rtf.Exploit.CVE_2012_0158-22, indicating exploitation of the CVE-2012-0158 vulnerability. This vulnerability allows for arbitrary code execution when a user opens the malicious RTF document.

Heuristics 5

  • ClamAV: Rtf.Exploit.CVE_2012_0158-22 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2012_0158-22
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000f2.bin rtf-objdata-decoded RTF \objdata at offset 0xF2 4175 bytes
SHA-256: c021ca1e645b2287292bbabd5f9633b135fa02739e0f3f93fe3826fccf15db9a
objdata_01_off000022a7.bin rtf-objdata-decoded RTF \objdata at offset 0x22A7 156520 bytes
SHA-256: 50104f77f08448f8642fba65439d418fe1b355616a87166cc88f8858b352719f
objdata_02_off00050858.bin rtf-objdata-decoded RTF \objdata at offset 0x50858 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_03_off00050bee.bin rtf-objdata-decoded RTF \objdata at offset 0x50BEE 4824 bytes
SHA-256: 611b59d72c023bc057fbc4380f8493170dd621af47229e46fd0670483493500b
objdata_04_off00050f82.bin rtf-objdata-decoded RTF \objdata at offset 0x50F82 2351 bytes
SHA-256: 3dc8420da6b994fd419d7cfdfc0367e347304c1db04969391dd1aee827839010

Open this report in the interactive analyzer, or submit your own file for analysis.