Malicious RTF — malware analysis report

Static analysis result for SHA-256 cb679dd7ceda0b5a…

MALICIOUS

RTF

41.0 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2015-10-02
MD5: 2cb3c1b3780e3e927d402ee32d990165 SHA-1: a9443786902ca89e6c2bb5338d51e78e5eaa889e SHA-256: cb679dd7ceda0b5a3cf05e5f272166cddd2efdde86ad690c703032ffe9694191
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, indicated by RTF_OBJDATA and RTF_OBJEMB heuristics. ClamAV detection as 'Doc.Dropper.Agent-1691516' strongly suggests this file acts as a dropper for malicious content. The presence of OLE objects points towards exploitation of client-side vulnerabilities to execute a payload.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-1691516 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1691516
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000012b.bin rtf-objdata-decoded RTF \objdata at offset 0x12B 14939 bytes
SHA-256: d7664b7d968622eeaa3f4c65ff4ce164c38edfaf44cfc91bc214efdbe9dbedbc
objdata_01_off0000792b.bin rtf-objdata-decoded RTF \objdata at offset 0x792B 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_02_off00007cc1.bin rtf-objdata-decoded RTF \objdata at offset 0x7CC1 4821 bytes
SHA-256: 60371ad591079b36dc281663e31ab1859e2f33da1aad4a7eef3cd32a4d785675
objdata_03_off00008055.bin rtf-objdata-decoded RTF \objdata at offset 0x8055 2347 bytes
SHA-256: f180756a72c49ab825865be56755d2df3b56e2f8a2f1664890de39855704ceb9

Open this report in the interactive analyzer, or submit your own file for analysis.