Malicious RTF — malware analysis report

Static analysis result for SHA-256 10c6e9aa35802a5d…

MALICIOUS

RTF

1.79 MB Created: 2020-06-22 11:45:00 First seen: 2021-07-07
MD5: ef11b8213ef4e0b5b250672172509c9c SHA-1: 719ef853297090207e83566ecb512caf7236333b SHA-256: 10c6e9aa35802a5d10e893fa7b4421565f6a36a7278b47c5edf682a2d31c949d
362 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.005 Visual Basic

The RTF document contains a lure instructing the user to 'Enable Editing' to view protected content, a common tactic for malware droppers. It also contains references to PowerShell and WScript, and exploits known vulnerabilities (CVE-2017-8759 and CVE-2026-21514) related to OLE object handling in RTF files, suggesting it's designed to download and execute a secondary payload.

Heuristics 11

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1633KB of hex-encoded data inside \objdata sections — may hide a payload
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/ In RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off001b2e45.bin rtf-objdata-decoded RTF \objdata at offset 0x1B2E45 11695 bytes
SHA-256: d3785299561838fcfed61f87ce4d0cf580d5b02f379d08d59d6ea7c36d2f1767
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): mshta.exe
rtf_svb_00004521.zip rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x4521 1765 bytes
SHA-256: 0af44f049db8c4e16d4d6fdd78ef1da0c9ccce116048fa5d73915efc16d52522

Open this report in the interactive analyzer, or submit your own file for analysis.