Malicious RTF — malware analysis report

Static analysis result for SHA-256 e74c53325f43f6d6…

MALICIOUS

RTF

528.2 KB Created: 1999-04-16 10:27:00 Authoring application: Microsoft Word 11.0.8106 First seen: 2021-09-27
MD5: 0c68aa18f218975e9c8e94ee595f45d2 SHA-1: 4aaa17264c155ef3e79f73b2c8697721cae77ff6 SHA-256: e74c53325f43f6d67c4f761f689731146b97cbab4557009d286262c4517bab3c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, indicated by RTF_OBJDATA and RTF_OBJEMB heuristics. These objects likely contain malicious code or exploit code designed to execute when the document is opened. The presence of these embedded objects suggests an attempt to exploit vulnerabilities or deliver a secondary payload, aligning with spearphishing attachment tactics. No specific family could be identified due to the lack of script content.

Heuristics 4

  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://exstat.redmond.corp.microsoft.com/me In RTF body
    • http://go.microsoft.com/fwlink/?LinkID=147091&clcid=0x409In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordml}{In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003d87.bin rtf-objdata-decoded RTF \objdata at offset 0x3D87 46208 bytes
SHA-256: ca5a71126763b83e5252b508d71045aff01c235541bf16e3b80de85d74073e41
objdata_01_off00042937.bin rtf-objdata-decoded RTF \objdata at offset 0x42937 37448 bytes
SHA-256: 5de28c4e0fe91981be0a33fa881004b240761e4fca07ebc9e7e38742a07a4b43