MALICIOUS
364
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple indicators of malicious activity, including OLE object data, a Composite Moniker, and an Equation Editor CLSID, all pointing to the exploitation of CVE-2017-8570. This vulnerability is known to be used for dropping and executing secondary payloads, such as SCT scripts. The presence of PE headers within hex data further suggests the embedded object is an executable.
Heuristics 10
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOREquation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
-
PE header (with DOS stub) in hex data critical RTF_MZ_HEXHex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 7 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://nsis.sf.net/NSIS_Error In RTF body
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00000031.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31 | 255803 bytes |
SHA-256: 9f3cbd3e7b24caff305c6672a4eafa9337a6b1d62a873d86220abdc16a476f51 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
|
|||
objdata_01_off000809af.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x809AF | 612 bytes |
SHA-256: c62851521e10316dfd43f2b6ee67cc27e2a24456bb346c8fa9dc4a6d6e21d526 |
|||
objdata_02_off00080eaf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x80EAF | 382 bytes |
SHA-256: 9d6fa4be1a4a694cfee89268078c9efc8705b1a473fbb09a37ceb2d45104e44b |
|||
objdata_03_off000811e7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x811E7 | 789 bytes |
SHA-256: 8ab026a3e66d94feae5647d5ac6558412271b58006835755f301bcce43b1e52a |
|||
objdata_04_off0008188f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8188F | 2633 bytes |
SHA-256: 1feb5f150bb35566d1a01fc59a357dc0ea34bc7498e0ec99bd939f6f848044b0 |
|||
objdata_05_off00082db7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x82DB7 | 4679 bytes |
SHA-256: 6bb172535cccd16de71bca846e2bb6df177c56b3a545d6e6314435eabf5d2217 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.