RTF malware analysis — malicious · 34cdfc67942060ba

MALICIOUS

RTF

1.37 MB Created: 2016-04-20 12:58:00 First seen: 2016-08-15

MD5: 735f0fbe44b70e184665aed8d1b2c117 SHA-1: 11064dcef86ac1d94c170b24215854efb8aad542 SHA-256: 34cdfc67942060ba30c1b9ac1db9bd042f0f8e487b805b8a3e1935b4d2508db6

324 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects and exploits CVE-2026-21514, a known vulnerability in Microsoft Word. It attempts to download a payload from http://www.insigniaadvertising.com.pk/bill/ using an INCLUDETEXT/INCLUDEPICTURE directive. ClamAV detections confirm the malicious nature, specifically identifying it as Doc.Exploit.CVE_2015_1641-6397417-0.

Heuristics 9

Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED

RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514

RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2015_1641-6397417-0
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1253KB of hex-encoded data inside \objdata sections — may hide a payload
INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE

RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
OLE object data medium RTF_OBJDATA

RTF contains 3 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.insigniaadvertising.com.pk/bill/ In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0003f54e.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3F54E	45 bytes
SHA-256: `083c2e8b44386e792363878581e7e6cc02382e07194162f33517c429dfbcec43`
`objdata_01_off0003fef3.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3FEF3	557105 bytes
SHA-256: `bb357e18baf6a5b6bcace8e4920f61d67814e808a3a63165774e57e5a42f7758`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`objdata_02_off0015266f.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x15266F	16433 bytes
SHA-256: `ac8397211c1cd7886d49ccd99d0163edaa3711f18fc40ff269159d175e9e4c47`
Detection ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0 Obfuscation or payload: unlikely
`rtf_svb_00011d8d.zip`	rtf-svb-package	RTF \svb hex-decoded ZIP at offset 0x11D8D	30287 bytes
SHA-256: `effd5101264d2298ca4652698595bdec833e6d8d2375177521ab1f84cc4d7301`

Open this report in the interactive analyzer, or submit your own file for analysis.