Malicious RTF — malware analysis report

Static analysis result for SHA-256 300dde23b3c0acce…

MALICIOUS

RTF

1.06 MB Created: 2021-07-17 09:06:00
MD5: ed6a54eb5a2a58a43b60241066bbdb76 SHA-1: 84b01b48a2ab3c7087337baed8f90bbbb0bc58b8 SHA-256: 300dde23b3c0accee53a2451c8f9b152128aa124a604c45f3af32e3be6fc2094
322 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects and specifically triggers heuristics related to Equation Editor vulnerabilities (CVE-2026-21514). This indicates an attempt to exploit a client-side vulnerability for execution. The presence of URL monikers and excessive hex data within the OLE object suggests the embedding of a payload, likely a downloader. The document body, disguised as a vaccination drive form, serves as a lure to encourage users to open the malicious RTF file.

Heuristics 9

  • URL Moniker in RTF OLE object high CVE related RTF_URL_MONIKER_RELATED
    RTF contains a URL Moniker GUID in OLE object context, but no decoded remote target was confirmed. Treat as related OLE2Link attack-surface evidence rather than proof of CVE-2017-0199 exploitation.
  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Equation Editor object class critical RTF_OBJCLASS_EQUATION
    Object class 'equation.3' references Equation Editor
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1031KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nhsrc.gov.pk/SiteImage/Setting/gov_logo.png
    • https://www.covid.gov.pk
    • http://www.nhsrc.gov.pk/SiteImage/Setting/gov_logo.png}}{
    • https://www.covid.gov.pk.indexpage.link/vaccine-details
    • http://ocsp.sectigo.com0
    • http://ocsp.comodoca.com0
    • http://ocsp.usertrust.com0
    • http://schemas.microsoft.com/office/word/2003/wordml
    • https://sectigo.com/CPS0
    • http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
    • http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
    • http://crl.comodoca.com/AAACertificateServices.crl04
    • http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
    • http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0009d753.bin
34844019252251150959950b99d5af35279f89a8416c70dc5a56a3bbef71c06a		 rtf-objdata-decoded RTF \objdata at offset 0x9D753 219378 bytes
rtf_svb_000042e1.zip
521cb715b6c68d53c7e7b2cbb89a1608e809f14921af3b12bab038fd39e6d43a		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x42E1 38397 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.