Malicious RTF — malware analysis report

Static analysis result for SHA-256 d9dbea199319b628…

MALICIOUS

RTF

498.4 KB Created: 2018-06-04 05:48:00 First seen: 2021-02-23
MD5: 693d23d7689ccda89f6a17685f47509f SHA-1: 1507637cbcb6d232fa30b3095ff4b77f62bb67c2 SHA-256: d9dbea199319b628d5a8f26b94d2a6e0ea5d7f1a51c6a86d6d8ab29f301d74bf
282 Risk Score

Heuristics 8

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003821.bin rtf-objdata-decoded RTF \objdata at offset 0x3821 35899 bytes
SHA-256: 48a29d90cd1fe06434c01103bb2bc84fbff9f5cae7a26cbbdf1fe9ab05ef60c2
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_01_off0001a955.bin rtf-objdata-decoded RTF \objdata at offset 0x1A955 35899 bytes
SHA-256: 6901aba0d7564a92e5aea3c1fc5726b1f81ec92eab7d09a555f9cdb0cfd49d62
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_02_off00031a89.bin rtf-objdata-decoded RTF \objdata at offset 0x31A89 35899 bytes
SHA-256: 96ae4ed7b714151d0a015982e4074590028d94e23eecda8d5edb34ed3034c4d0
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_03_off00048bbd.bin rtf-objdata-decoded RTF \objdata at offset 0x48BBD 35899 bytes
SHA-256: d820ede8a3f65dfbb9a8f8d84673dab1f2d190116e015a4370526f46ae0e0cc7
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_04_off0005fcf1.bin rtf-objdata-decoded RTF \objdata at offset 0x5FCF1 35899 bytes
SHA-256: 7190d55bb43c99aa262038fc3d095086966404bbb047bf31a638586babec701a
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.