RTF malware analysis — malicious · d94e75ce654086bf

MALICIOUS

RTF

500.9 KB Authoring application: Riched20 10.0.15063 First seen: 2019-02-10

MD5: 05587707a43142d26b1e6c9a8f04f8db SHA-1: 6631694215ef9350ee30905e1200d4757f5109b1 SHA-256: d94e75ce654086bfb44ca99fef9ee5ad751d0fd08625fbc7a584c1da011a54e7

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests the file is designed to exploit vulnerabilities within OLE object handling to achieve client execution. The specific exploit or payload is not directly discernible from the static analysis, leading to an unknown family classification.

Heuristics 4

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 10 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000109.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x109	24910 bytes
SHA-256: `730958b8679ed2bb8b175b415adba6f709963209196a1ec612d1ee0fc30b3cf8`
`objdata_02_off00019197.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x19197	24910 bytes
SHA-256: `506a804d26573a53332b1ae8a37ffa5425e2166d57b892a3f13c56f1bb4b7344`

Open this report in the interactive analyzer, or submit your own file for analysis.