RTF malware analysis — malicious · 79293f3cfa2af27b

MALICIOUS

RTF

1.26 MB Created: 2016-03-27 18:31:00 First seen: 2016-04-01

MD5: f5c81526acbd830da2f533ae93deb1e1 SHA-1: f7d9e0c7714578eb29716c1d2f49ef0defbf112a SHA-256: 79293f3cfa2af27b9d5d2d7afa1d3febb8a02f7480491b0a8afb6eea0d10faab

304 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects with large amounts of hex-encoded data, indicative of a hidden payload. It also uses an INCLUDETEXT/INCLUDEPICTURE directive to fetch content from a remote URL, which is a common technique for downloading secondary exploits or malware. ClamAV detections confirm the presence of an exploit targeting CVE-2015-1641, a known vulnerability in Microsoft Office.

Heuristics 9

Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED

RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2015_1641-6397417-0
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1203KB of hex-encoded data inside \objdata sections — may hide a payload
INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE

RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
OLE object data medium RTF_OBJDATA

RTF contains 3 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.aims.net.pk/facilities/welfare2/news In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000f13f.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xF13F	6372 bytes
SHA-256: `365bc96aa9bd390a6f5cab1f799a12c67405386f30fcdb30ea4ddc2c73da875a`
`objdata_01_off00012cc3.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x12CC3	589873 bytes
SHA-256: `01d0e7ff68edf78e6d8472e531dc7088bfa2ce131733dcee03efa69c1c482bb4`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`objdata_02_off00135665.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x135665	16433 bytes
SHA-256: `ac8397211c1cd7886d49ccd99d0163edaa3711f18fc40ff269159d175e9e4c47`
Detection ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.