Malicious RTF — malware analysis report

Static analysis result for SHA-256 c2cc944961394bb4…

MALICIOUS

RTF

261.0 KB
MD5: cc85b62d7417aa210b0dfaaddc8dccf8 SHA-1: 115123c06c33b6de089f7998e56dddd9264a7c4e SHA-256: c2cc944961394bb499d7401df2ed5121ebe2daec1caebbc0e61513f28d153ce9
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.005 Visual Basic

The RTF file contains multiple OLE objects, including one that triggers an objupdate directive, indicating an attempt to activate embedded content. The document body explicitly prompts the user to 'Enable Editing', a common lure for macro-based malware. While no scripts were directly extracted, the presence of OLE objects and the lure strongly suggest the file is designed to execute embedded malicious code, likely a downloader or dropper.

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b44.bin
d859589b6eb6bdba86235326df6cbc0ad9dfbd912fd5760f45c3a75900329639		 rtf-objdata-decoded RTF \objdata at offset 0xB44 37548 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
objdata_01_off000131a1.bin
12289ea42203fe86d5d6e86e52672f752ead5709842d0443203b40a4917d5ece		 rtf-objdata-decoded RTF \objdata at offset 0x131A1 12261 bytes
objdata_02_off000191b3.bin
a483f12dcb6e4b0551213d4a635fd37957956b42b40e2fc9f057edbc2419eb50		 rtf-objdata-decoded RTF \objdata at offset 0x191B3 2632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.