Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a0d04e599eca9f36…

MALICIOUS

RTF / .DOC

932.7 KB
MD5: efbff8a60cdba36c61c8aae05c69f58c SHA-1: 45440b6dadd88e5445add63879307fed50916d66 SHA-256: a0d04e599eca9f367990d34f820b473d7e7c3969483eaad9892fb4c512849efb
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. Additionally, the SC_XOR_ENCODED heuristic suggests that strings within the file are obfuscated using XOR encoding with a key of 0xF3. This combination points towards a malicious document designed to deliver a payload, likely through exploitation of embedded objects. No specific family could be identified.

Heuristics 3

  • XOR-encoded strings (key 0xF3) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xF3: 'advapi32.dll', 'advapi32.dll'
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c688.bin
f3684bc8f950262d8028d3aa39ed8ba73b4ac2a99953e9e5a299dde7f51440c3		 rtf-objdata-decoded RTF \objdata at offset 0xC688 5686 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.