Malicious RTF — malware analysis report

Static analysis result for SHA-256 efcfb4bd93265f9f…

MALICIOUS

RTF

282.2 KB
MD5: b9a5ea9d3cab85c427bc974a5cff015f SHA-1: 67e5a0fddfa6980437cbccfa7359beb3e3138f69 SHA-256: efcfb4bd93265f9f61844a67594aa17f3e2c8fdc1bbe995c5aa35b10a754f521
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains multiple OLE objects, including one that triggers an objupdate directive, indicating an attempt to activate embedded content. The document body explicitly instructs the user to 'Enable Editing', a common lure for macro-based malware. The presence of OLE object data and composite monikers suggests the embedded object is designed to execute code, likely a downloader or dropper. No scripts were extracted, but the heuristics strongly indicate a malicious OLE object designed to bypass security controls.

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b44.bin
3f4d6ce442be57b67a31e653fe19c5460746410ae0acce46e7acc13ef765f331		 rtf-objdata-decoded RTF \objdata at offset 0xB44 48415 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
objdata_01_off00018687.bin
12289ea42203fe86d5d6e86e52672f752ead5709842d0443203b40a4917d5ece		 rtf-objdata-decoded RTF \objdata at offset 0x18687 12261 bytes
objdata_02_off0001e699.bin
5de732ece55617b212baa0db7102c497ed7e809d372953a6a31ff14adb5754f5		 rtf-objdata-decoded RTF \objdata at offset 0x1E699 2632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.