Malicious RTF — malware analysis report

Static analysis result for SHA-256 8702469e99e76ebf…

MALICIOUS

RTF

447.4 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2014-09-26
MD5: 9eb2158d227eff7fc4a332bb82f0cd90 SHA-1: b00650953c80493ff396ce0b20c59929b898e941 SHA-256: 8702469e99e76ebfb73f28848cc10ca8fd9c8dabeedb9559a9bb4239dfba0941
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects and triggers high-severity heuristics for CVE-2014-1761 and CVE_2012_0158, indicating exploitation of known vulnerabilities for client execution. The presence of embedded OLE objects suggests an attempt to deliver a malicious payload. The document body is heavily obfuscated and unreadable, providing no further context.

Heuristics 6

  • CVE-2014-1761 — \listoverridecount large value (26112847940857370449405885673409503602111784280794777832934290349023843232909896375822393900277583421388878778333911111111200000000285293483488705430874425078757034875808754369295340574804543845224085780683347503493200) high CVE exact CVE_2014_1761
    RTF \listoverridecount value 26112847940857370449405885673409503602111784280794777832934290349023843232909896375822393900277583421388878778333911111111200000000285293483488705430874425078757034875808754369295340574804543845224085780683347503493200 far exceeds normal bounds — exploited by CVE-2014-1761 to trigger a heap corruption in Word; used in targeted attacks
  • ClamAV: Rtf.Exploit.CVE_2012_0158-6817728-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2012_0158-6817728-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000107.bin rtf-objdata-decoded RTF \objdata at offset 0x107 8352 bytes
SHA-256: 14e1e64a49d8d3e44892c5fd9d449b7196841e6c306b7b8b48392cbe3df64f92
objdata_01_off00004446.bin rtf-objdata-decoded RTF \objdata at offset 0x4446 14939 bytes
SHA-256: d7664b7d968622eeaa3f4c65ff4ce164c38edfaf44cfc91bc214efdbe9dbedbc
objdata_02_off0000bc16.bin rtf-objdata-decoded RTF \objdata at offset 0xBC16 4827 bytes
SHA-256: 341ea0e0fa924b5b6cd22c7d08cda49096f92ffcf9cbeee9b8710ac3e58c18b5
objdata_03_off0000bfaa.bin rtf-objdata-decoded RTF \objdata at offset 0xBFAA 2355 bytes
SHA-256: 3797b6ebf96e36732093d5d3406d62a8f5d704b4072d3018c63591f7233a9b2f
objdata_04_off0000e559.bin rtf-objdata-decoded RTF \objdata at offset 0xE559 166961 bytes
SHA-256: c78994eee5d83c9ab4e61dbdbd17f7c478abde0fa6a7f487b890ad7c512c1887
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.