Malicious RTF / .7B — malware analysis report

Static analysis result for SHA-256 78461ef3d2cb9dc3…

MALICIOUS

RTF / .7B

366.0 KB Created: 2004-03-01 23:12:00 Authoring application: Microsoft Word 10.0.2627
MD5: e7205bcfdaf5975764bedcf178a002fe SHA-1: 916819b296d0c583551d4d0311b474c8125ca5b1 SHA-256: 78461ef3d2cb9dc37dc9d52bcf6d168754b99496f46992518f10ee5c6ee10bab
240 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF file contains multiple embedded OLE objects. Critical heuristics indicate that these objects contain PE headers and are detected by ClamAV as a Trojan (Doc.Trojan.Thus-8) and a worm (Win.Worm.Blaster-1). This strongly suggests the file is designed to drop and execute a secondary malicious payload.

Heuristics 6

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000022c9.bin
db2aa971332bdca35c8b2ca7c9c7cdd029d5d128623cd385deafe50a0950ee52		 rtf-objdata-decoded RTF \objdata at offset 0x22C9 56668 bytes
objdata_01_off0002023e.bin
8d02968a97588c32488fb493f992c3982aca4cc11b88c213654e48dafc9afa0d		 rtf-objdata-decoded RTF \objdata at offset 0x2023E 56668 bytes
objdata_02_off0003e1b2.bin
14f9ec6bbb8a350ba2042ddf77d51783b51c13ccb42733a43093b548483d8ba0		 rtf-objdata-decoded RTF \objdata at offset 0x3E1B2 30038 bytes
objdata_03_off0004ef69.bin
22d95519ebc2fef882b22b6bbe95d6f977ab8b8887be0509170edddbef910b52		 rtf-objdata-decoded RTF \objdata at offset 0x4EF69 21346 bytes
Detection
ClamAV: Win.Worm.Blaster-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.