MALICIOUS
242
Risk Score
Heuristics 7
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
OLE object data medium RTF_OBJDATARTF contains 30 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
- http://at-share.anntaylor.com/sites/labdiptracking/Shared%20Documents/Corporate%20Color%20Chart/Corporate%20Color%20Chart.xlsxIn RTF body
Extracted artifacts 30
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000038c3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x38C3 | 4137 bytes |
SHA-256: fa254591798145abf2cdbeac290ee509982c05a48bf5f2693afe90dc426ac33c |
|||
objdata_01_off000064d2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x64D2 | 4137 bytes |
SHA-256: b77380db7fef1b4cd9574b12aacad701a9007cb3117fa8041a377cb2ea65e109 |
|||
objdata_02_off0000912b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x912B | 4137 bytes |
SHA-256: 7d5eac103550b3b6d8225c85b8328f4ee7a9495b22680ee45e381aa65a3a5e0d |
|||
objdata_03_off0000bdc3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBDC3 | 4137 bytes |
SHA-256: 73968d1effa4ca60a667b4f0daa182c2edad20111b1e5d89b3a4af09f65988da |
|||
objdata_04_off0000ea2c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xEA2C | 4137 bytes |
SHA-256: 54a517c1faff0140a63df7f05be98ea4370c521c536d27923bf489075ebd8f94 |
|||
objdata_05_off00011d7f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x11D7F | 4137 bytes |
SHA-256: 26ea9e1fb91b015dc20cf844a68bb378a5357da5ee3bc3f3f933ccbdeaba8810 |
|||
objdata_06_off0001499f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1499F | 4137 bytes |
SHA-256: 1275c6ffafbe3a7c14d1aac56ce9633a16cef515fe2bed638baf150bef940a77 |
|||
objdata_07_off00017541.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x17541 | 4137 bytes |
SHA-256: 0b529684c635b49ceedd76aa579921ba4517d840729b3127eaf7433930cbfa58 |
|||
objdata_08_off0001a08c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1A08C | 4137 bytes |
SHA-256: 7dca41fe409e6f66efe24fe901a46b04b7121151d25b1aac89e50d8383d60e06 |
|||
objdata_09_off0001cc2e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1CC2E | 4137 bytes |
SHA-256: 3a0534e16e4af2c893ccdf94e03d3bd2914c2c5e7923ee2833f47cfbc9db2d44 |
|||
objdata_10_off0001feff.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1FEFF | 4137 bytes |
SHA-256: 726777064a12557c680e32d74793c0a5b03246484341113571fdbf07229926a3 |
|||
objdata_11_off00022a9f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x22A9F | 4137 bytes |
SHA-256: 5f59790e0a70fef7b59569e0a5002ba96733ce5cb5e5c4dea5089e79edf936f2 |
|||
objdata_12_off0002563b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2563B | 4137 bytes |
SHA-256: 5e47a52df8e2dd76de7892c58c25bc227e5fdff61f99eae6d2e11a51c5744228 |
|||
objdata_13_off00028187.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28187 | 4137 bytes |
SHA-256: e90bdb36501b4093590738199e7af34fd4b0d01adea8531f64c087cc267dfe72 |
|||
objdata_14_off0002acda.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2ACDA | 4137 bytes |
SHA-256: 7becf3182e56496de911facb9580f5f3420cc5b8fb6d7910eb61a8b956fc3d3c |
|||
objdata_15_off0002deb8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2DEB8 | 4137 bytes |
SHA-256: e61bcee380f83b7dcfcc46e727d226c715d8737d39d215912c83faec07cc633d |
|||
objdata_16_off00030976.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x30976 | 4137 bytes |
SHA-256: 7e9ff6c42d15d3ead78b90f2a74b99a0618fe0f3d968bb999d901f71f08dd6f1 |
|||
objdata_17_off000333e2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x333E2 | 4137 bytes |
SHA-256: f6270f05aeb23899fe1ab743dd8514cfb35cd05cfcfc588294f1102d26ee0d77 |
|||
objdata_18_off00035e4c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x35E4C | 4137 bytes |
SHA-256: 920202c6c659e2d9dff1a1485013cf3757d72c5a35a5a5946f0cd6c07e8bfc94 |
|||
objdata_19_off0003892b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3892B | 4137 bytes |
SHA-256: 123b7cfd1b3aa75358bc804b733efe8d67a5ccf650b9db2bda14182583359ae2 |
|||
objdata_20_off0003bb42.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3BB42 | 4137 bytes |
SHA-256: 1cb48b1895b95e9c38a072354f5b284b0856380037b33c36543469387b6c8b99 |
|||
objdata_21_off0003e679.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3E679 | 4137 bytes |
SHA-256: 1b31c263643ccf567f09fba167959b1cd8c354ce6ba5a97c09113be313a65f80 |
|||
objdata_22_off000411fb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x411FB | 4137 bytes |
SHA-256: 2e049b6a0c13c3db5e8a99d32713e396506d6ac12b4a3a50a0a6356dc8713bab |
|||
objdata_23_off00043d94.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x43D94 | 4137 bytes |
SHA-256: c215a1151987cf9f6167e383a91ba006215c93dd6e4a8a8f1637450b777a6f0d |
|||
objdata_24_off0004692e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4692E | 4137 bytes |
SHA-256: ab27ecfdc9f49c39ec46bf62298947ac11634b8a91e92d7e41f56389ed5a578c |
|||
objdata_25_off00049b32.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49B32 | 4137 bytes |
SHA-256: 505d67fbde25c9687af47e968be461f2f08756e8d65c7832d17b4a77fff6d31b |
|||
objdata_26_off0004c6c9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4C6C9 | 4137 bytes |
SHA-256: be4e0990dccb0951d9cd236b8bc40bcb443561346f6ac592338ed7fdb4d7190e |
|||
objdata_27_off0004f207.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4F207 | 4137 bytes |
SHA-256: c9aa9c4ccd21093d875d734962be0b37a9ca8f419f0080146a7871d0a635dfaa |
|||
objdata_28_off00051d9a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x51D9A | 4137 bytes |
SHA-256: 1011d2b88ea0050440478ce9a505eab496476d592d3d8f807d7839d6e814f6cb |
|||
objdata_29_off0005492d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5492D | 4137 bytes |
SHA-256: 55403c42f8868200da6eb16da3aaa8853837a74775346550b64491450c1b2c5b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.