Malicious RTF — malware analysis report

Static analysis result for SHA-256 c166706f3e2c1fdb…

MALICIOUS

RTF

117.5 KB First seen: 2020-09-15
MD5: 92a7fb1f7f129c514ea22d8377fbfa2c SHA-1: a61008bb4baf9cdbd2396df98f307fd66078e628 SHA-256: c166706f3e2c1fdb9141fcb2bae12c0790700a031035a0b3e44cc55e4634da26
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The SC_XOR_ENCODED heuristic suggests that strings within the file are obfuscated using XOR encoding with a key of 0xF3, which is a common technique for hiding malicious payloads. This combination points towards an attempt to deliver and execute a secondary exploit or payload.

Heuristics 3

  • XOR-encoded strings (key 0xF3) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xF3: 'advapi32.dll', 'advapi32.dll'
    Disassembly
    Attempted x86 opcode disassembly
    0000F874  92                xchg edx, eax
0000F875  97                xchg edi, eax
0000F876  8592839ac0c1      test dword ptr [edx - 0x3e3f657d], edx
0000F87C  dd979f9f0080      fst qword ptr [edi - 0x7fff6061]
0000F882  8799989a9bdb      xchg dword ptr [ecx - 0x24646568], ebx
0000F888  91                xchg ecx, eax
0000F889  99                cdq
0000F88A  99                cdq
0000F88B  009c90c9e38fcd    add byte ptr [eax + edx*4 - 0x32701c37], bl
0000F892  97                xchg edi, eax
0000F893  8f                .byte 0x8f
0000F894  89cb              mov ebx, ecx
0000F896  61                popal
0000F897  d0359f39a600      sal byte ptr [0xa6399f], 1
0000F89D  f695abfd10df      not byte ptr [ebp - 0x20ef0255]
0000F8A3  6f                outsd dx, dword ptr [esi]
0000F8A4  9f                lahf
0000F8A5  7a97              jp 0xf83e
0000F8A7  6ac0              push -0x40
0000F8A9  1f                pop ds
0000F8AA  75a9              jne 0xf855
0000F8AC  649d              popfd
0000F8AE  9d                popfd
0000F8AF  e0df              loopne 0xf890
0000F8B1  b652              mov dh, 0x52
0000F8B3  aa                stosb byte ptr es:[edi], al
0000F8B4  d6                salc
0000F8B5  df                .byte 0xdf
0000F8B6  ce                into
0000F8B7  79c0              jns 0xf879
0000F8B9  7b1c              jnp 0xf8d7
0000F8BB  74e9              je 0xf8a6
0000F8BD  32f0              xor dh, al
0000F8BF  e6ed              out 0xed, al
0000F8C1  755f              jne 0xf922
0000F8C3  ef                out dx, eax
0000F8C4  7758              ja 0xf91e
0000F8C6  d14ae2            ror dword ptr [edx - 0x1e], 1
0000F8C9  91                xchg ecx, eax
0000F8CA  b740              mov bh, 0x40
0000F8CC  60                pushal
0000F8CD  c5                .byte 0xc5
0000F8CE  c9                leave
0000F8CF  4d                dec ebp
0000F8D0  16                push ss
0000F8D1  ec                in al, dx
0000F8D2  1a00              sbb al, byte ptr [eax]
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00008138.bin rtf-objdata-decoded RTF \objdata at offset 0x8138 5686 bytes
SHA-256: 99028b9d55e1289dd10db07a75c04bdbac5cf2fae07717c1d298ae08faf58779

Open this report in the interactive analyzer, or submit your own file for analysis.