Malicious RTF — malware analysis report

Static analysis result for SHA-256 e655a4d313181975…

MALICIOUS

RTF

41.0 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2015-10-13
MD5: eb1d21d35f88a7b30be202e40f7f8230 SHA-1: 981ec7a19a946279a0a2f696d7f7289550cdb66a SHA-256: e655a4d3131819750d23dd2eaa1efdd820982a488f76371384632adf202a32d4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, indicated by RTF_OBJDATA and RTF_OBJEMB heuristics. ClamAV detection as 'Doc.Dropper.Agent-1691516' strongly suggests this file acts as a dropper for malicious content. The presence of OLE objects points towards exploitation of client-side vulnerabilities to execute a payload.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-1691516 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1691516
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000012b.bin rtf-objdata-decoded RTF \objdata at offset 0x12B 14939 bytes
SHA-256: d7664b7d968622eeaa3f4c65ff4ce164c38edfaf44cfc91bc214efdbe9dbedbc
objdata_01_off0000792b.bin rtf-objdata-decoded RTF \objdata at offset 0x792B 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_02_off00007cc1.bin rtf-objdata-decoded RTF \objdata at offset 0x7CC1 4814 bytes
SHA-256: 3119c6311c5ffe5749ea0c2319a52f1102c8a78ec1f8d1d7d2e3c7e00d950012
objdata_03_off00008055.bin rtf-objdata-decoded RTF \objdata at offset 0x8055 2347 bytes
SHA-256: f180756a72c49ab825865be56755d2df3b56e2f8a2f1664890de39855704ceb9

Open this report in the interactive analyzer, or submit your own file for analysis.