Malicious RTF — malware analysis report

Static analysis result for SHA-256 74e63d6c5237e68c…

MALICIOUS

RTF

511.2 KB Authoring application: Riched20 10.0.15063 First seen: 2019-02-26
MD5: 76ab647c2319c83c20410373215ef251 SHA-1: 164d7b56f31d29f95d2ed6860a3319ed4f33dff4 SHA-256: 74e63d6c5237e68c19220682612c8e620a18cd1caa0ed6eefc357ec1bf4559a6
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests the file is designed to exploit vulnerabilities within OLE object handling to achieve client execution. The specific exploit or payload is not directly discernible from the static analysis, leading to an unknown family classification.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000010d.bin rtf-objdata-decoded RTF \objdata at offset 0x10D 25422 bytes
SHA-256: 93920f8eb926f338b3955223e185f7840bb99edf1608ae93f3f33d027cdf86fa
objdata_03_off0002664e.bin rtf-objdata-decoded RTF \objdata at offset 0x2664E 25422 bytes
SHA-256: a4f9914009421dadeac04dd1803d808e73c1a2d5d5ef9b59780e1be7920244de
objdata_05_off0003ff24.bin rtf-objdata-decoded RTF \objdata at offset 0x3FF24 25422 bytes
SHA-256: 10164b08b2ef0ee831754e58168a4e9e453fb550a77c85596147cff02688a5a9
objdata_07_off000597fa.bin rtf-objdata-decoded RTF \objdata at offset 0x597FA 25422 bytes
SHA-256: e8abde24045111d4440648afcd442130da129937ed12900a66000440eb3dcf63

Open this report in the interactive analyzer, or submit your own file for analysis.