RTF / .DOC malware analysis — malicious · 8f1a7435bd3a4e71

MALICIOUS

RTF / .DOC

428.2 KB Created: 2010-03-11 10:32:00 Authoring application: Micros oft Word 11.0.0000

MD5: db1ad614057217f2bce0d970ed594a17 SHA-1: 9ac70332e1f09c063211a3e65037b7256c65e58a SHA-256: 8f1a7435bd3a4e714a375505de3438473c28364ee757212652c36ccefb999496

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an embedded OLE object, suggesting it is designed to deliver malicious content. The document body mimics a financial fraud investigation notice from PNC Bank, including a fake reference card and disputed amounts, with a call to action to contact a provided phone number. This is a common social engineering tactic to trick users into interacting with malicious actors. The embedded URL is benign, but the phone number is a potential IOC.

Heuristics 4

OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml}{\xmlns2

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000027dd.bin` `b115c9b0a9e965674777a0690a7b0535e7401f05df7f50699898210eda538972`	rtf-objdata-decoded	RTF \objdata at offset 0x27DD	139968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.