MALICIOUS
162
Risk Score
Heuristics 6
-
ClamAV: Doc.Exploit.DDEautoexec-6346603-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6346603-1
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~4852KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003585.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3585 | 20017 bytes |
SHA-256: 4da475db9dfe82ea155fb68c8af1373a4fccdca00b790ea7e4760a3202c2bbc8 |
|||
objdata_01_off0000f04b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF04B | 20017 bytes |
SHA-256: 5f5435ccd409cd303185fda09715f1af05ce4bcb76ea696c1c42054553ae077d |
|||
objdata_02_off0001a98e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1A98E | 20017 bytes |
SHA-256: 81e4859b28a56dbccf6d70eeb952739b7a303272c2546b76aa6f2ac2fd224f04 |
|||
objdata_05_off0003d55b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D55B | 20017 bytes |
SHA-256: fb9d89beb6ab34cda686d461a6862c6f998ab3cf9a4da6ffa07c26a01074ee77 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.