Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 282ebd0b67bd0b64…

MALICIOUS

RTF / .DOC

681.4 KB Created: 2021-03-20 12:03:00
MD5: 30b4cd4ecc0ddab6ee080a68876cc53f SHA-1: 0e0289c166723f705362c864f8a109eba4fa1c63 SHA-256: 282ebd0b67bd0b6410da9397fb307e2fb800d8f290cb89fb8d6f4a78d5046950
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1059 Command and Scripting Interpreter T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model

The RTF document contains multiple OLE objects, with specific heuristics indicating the exploitation of CVE-2017-8759 and CVE-2026-21514. These vulnerabilities allow for OLE activation and security bypass, enabling the execution of arbitrary code when the document is opened. The embedded OLE objects are likely payloads designed to further compromise the system.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
    URL http://schemas.microsoft.com/office/word/2003/wordml
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 9 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000041f3.bin
15fa72a46c3ad542db61d205a4a6a9c419a6ff3fce99eac8283c1d631a080aa6		 rtf-objdata-decoded RTF \objdata at offset 0x41F3 24635 bytes
objdata_01_off00015c49.bin
6fd0964dae5dfb897ced7ce49aaa2ec6086301c328db3a2f49901a242915e136		 rtf-objdata-decoded RTF \objdata at offset 0x15C49 24635 bytes
objdata_02_off000276a1.bin
f44204ea3869e793651d752b8aeac4cce6418fac80964d5dcd4791795800f265		 rtf-objdata-decoded RTF \objdata at offset 0x276A1 24635 bytes
objdata_03_off000390f9.bin
414b55adeb4c680a4f8bb7f8801f988c512d4821e21913534075d457c370e983		 rtf-objdata-decoded RTF \objdata at offset 0x390F9 24635 bytes
objdata_04_off0004ab51.bin
983baea47dff9577d860fac8afa4c8c2a26312a121c06fada9c66854c666a51e		 rtf-objdata-decoded RTF \objdata at offset 0x4AB51 24635 bytes
objdata_05_off0005c5a9.bin
d945b5b11ea9e9aaf4fc540bd9dce414db0d6afedc45b789be860f46b02ffe53		 rtf-objdata-decoded RTF \objdata at offset 0x5C5A9 24635 bytes
objdata_06_off0006e001.bin
55b443beac04e9e9908271d62ccb0fe3d2fd732251dfebd46baadf3889195cb4		 rtf-objdata-decoded RTF \objdata at offset 0x6E001 24635 bytes
objdata_07_off0007fa59.bin
4acbfb839c26a9aa9554141f2f2bc1f20750fef9b46cb59fa8d761d3765b9038		 rtf-objdata-decoded RTF \objdata at offset 0x7FA59 24635 bytes
objdata_08_off000914b1.bin
50b51293c8f9535d08b996269ad3eb54bfc1984d024491245aa72959ce0b3e05		 rtf-objdata-decoded RTF \objdata at offset 0x914B1 24635 bytes
rtf_svb_00002ddb.zip
81ec90098a4e3a9793d297882d25c03059295cc74b7355afcadf08f09686b9fa		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x2DDB 1682 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.