MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple embedded OLE objects, indicated by RTF_OBJDATA and RTF_OBJEMB heuristics. These objects likely contain malicious code or exploit code designed to execute when the document is opened. The presence of these embedded objects suggests an attempt to exploit vulnerabilities or deliver a secondary payload, aligning with spearphishing attachment tactics. No specific family could be identified due to the lack of script content.
Heuristics 4
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://exstat.redmond.corp.microsoft.com/me In RTF body
- http://go.microsoft.com/fwlink/?LinkID=147091&clcid=0x409In RTF body
- http://schemas.microsoft.com/office/word/2003/wordml}{In RTF body
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003d87.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D87 | 46208 bytes |
SHA-256: ca5a71126763b83e5252b508d71045aff01c235541bf16e3b80de85d74073e41 |
|||
objdata_01_off00042937.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x42937 | 37448 bytes |
SHA-256: 5de28c4e0fe91981be0a33fa881004b240761e4fca07ebc9e7e38742a07a4b43 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.