Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c61450d4270fed01…

MALICIOUS

RTF / .DOC

254.0 KB
MD5: 90344c632382eca595216d2640a06e27 SHA-1: b0cd85c6a0c44f3f3c0f65a3dfe2dd18bc8bef9c SHA-256: c61450d4270fed01293c68fa69206eacdff2b6144edb7bec95f0e6761a375ee9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple OLE objects, including one that triggers an objupdate directive, indicating an attempt to activate embedded content. The presence of a composite moniker further suggests a malicious OLE object. The document body explicitly prompts the user to 'Enable Editing', which is a common lure to bypass macro security settings and execute embedded payloads. No scripts were extracted, and no specific IOCs like URLs or hashes were directly identified in the provided evidence.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b4b.bin
4b20c31edc0f15c719816236d1240c6eb788c6c5e9a009c10d805e10ea751e90		 rtf-objdata-decoded RTF \objdata at offset 0xB4B 33923 bytes
objdata_01_off00011556.bin
12289ea42203fe86d5d6e86e52672f752ead5709842d0443203b40a4917d5ece		 rtf-objdata-decoded RTF \objdata at offset 0x11556 12261 bytes
objdata_02_off00017566.bin
3e20173573ecd45c8939b7e831a9cf85b4400150438f9db306f3dfd962c27af6		 rtf-objdata-decoded RTF \objdata at offset 0x17566 2632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.