Rtf.Dropper.Agent-8883478-0 — RTF malware analysis

Static analysis result for SHA-256 7ba17cacb2911e5c…

MALICIOUS

RTF

250.5 KB
MD5: c18f5b453e85c91b2d2a6da5bf437150 SHA-1: db734b2a4202c51c48e64d8b5976048191e61fea SHA-256: 7ba17cacb2911e5c32528067e09fb8900443ce4bf45306a59e6a9be3ca65d619
200 Risk Score

Malware Insights

Rtf.Dropper.Agent-8883478-0 · confidence 95%

MITRE ATT&CK
T1559.002 Component Object Model and Distributed Component Object Model T1204.002 Malicious File

The RTF file contains multiple OLE objects, with heuristics indicating that \objupdate forces OLE activation and a Composite Moniker is present. ClamAV identifies the file as Rtf.Dropper.Agent-8883478-0, suggesting it acts as a dropper. The embedded OLE objects are likely responsible for the malicious payload execution.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Rtf.Dropper.Agent-8883478-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-8883478-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000078d.bin
8aecaad403e16c4bafb389be0d743006b74931ccc4b5289787481a8f02d1e0c5		 rtf-objdata-decoded RTF \objdata at offset 0x78D 32619 bytes
objdata_01_off00010768.bin
12289ea42203fe86d5d6e86e52672f752ead5709842d0443203b40a4917d5ece		 rtf-objdata-decoded RTF \objdata at offset 0x10768 12261 bytes
objdata_02_off00016778.bin
ff4e9aaf9384b52652b79eaca517ccbf97d52846b4e013a0558d5ada8d82dc18		 rtf-objdata-decoded RTF \objdata at offset 0x16778 2632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.