MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
The RTF file contains multiple embedded OLE objects, with significant amounts of hex-encoded data within \objdata sections. The \objupdate heuristic indicates an attempt to force OLE activation, which is a common technique for delivering embedded malware. ClamAV detection as 'Xls.Malware.Sdrop-10036532-0' further supports the malicious nature of the file, likely indicating a downloader or dropper.
Heuristics 6
-
ClamAV: Xls.Malware.Sdrop-10036532-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sdrop-10036532-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1002KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 5 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003139.bin6d01f83d788a2878fc0512017d509a18f4b5b89aecd130fe039d49c1e6fd1dce |
rtf-objdata-decoded | RTF \objdata at offset 0x3139 | 119854 bytes |
objdata_04_off000f9801.bine2e1aa02fde0a77b74029f9450024df87e5064c063c6ea4ca8ab116084a5acd9 |
rtf-objdata-decoded | RTF \objdata at offset 0xF9801 | 88440 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.