MALICIOUS
364
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is an RTF document that leverages OLE objects and a Composite Moniker to exploit CVE-2017-8570. This vulnerability allows the RTF file to drop and execute a second-stage payload, likely an SCT script, which is then executed by the system. The presence of the Equation Editor CLSID and the objdata sections further indicate the exploitation of known RTF vulnerabilities for arbitrary code execution.
Heuristics 10
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOREquation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
-
PE header (with DOS stub) in hex data critical RTF_MZ_HEXHex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 7 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://nsis.sf.net/NSIS_Error In RTF body
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00000031.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31 | 287505 bytes |
SHA-256: 39513c5fe2b6516a1207f7852e05f094b91ac19c9acac553b2267c2ce7a4a7e4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.94, consistent with packed or encrypted content.
|
|||
objdata_01_off000956d3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x956D3 | 11417 bytes |
SHA-256: 5d6cfe4c5d1aa428e7c0f5e3f03a769703c8abf56b2cd296a4c4e881ac0011e7 |
|||
objdata_02_off0009b03d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9B03D | 382 bytes |
SHA-256: 9d6fa4be1a4a694cfee89268078c9efc8705b1a473fbb09a37ceb2d45104e44b |
|||
objdata_03_off0009b375.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9B375 | 789 bytes |
SHA-256: 8ab026a3e66d94feae5647d5ac6558412271b58006835755f301bcce43b1e52a |
|||
objdata_04_off0009ba1d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9BA1D | 2633 bytes |
SHA-256: 1feb5f150bb35566d1a01fc59a357dc0ea34bc7498e0ec99bd939f6f848044b0 |
|||
objdata_05_off0009cf45.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9CF45 | 4679 bytes |
SHA-256: 6bb172535cccd16de71bca846e2bb6df177c56b3a545d6e6314435eabf5d2217 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.