Malicious RTF — malware analysis report

Static analysis result for SHA-256 50cb0313a049f5df…

MALICIOUS

RTF

863.2 KB Created: 2021-10-07 11:52:00
MD5: 847446bc1b6221de28dc78cef9d34623 SHA-1: d7eb7f50d0cf1d91acb4ebf6e0d996d9547493f4 SHA-256: 50cb0313a049f5df3f0fe95dc588bf7dca6ef76a7d713fc4b07348e21134749e
102 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects and triggers an ".objupdate" command, indicating an attempt to exploit a known vulnerability. Specifically, the high severity heuristic 'CVE_2026_21514' points to a Word/OLE security bypass. This suggests the file is designed to trick the user into activating the embedded object, which then likely executes a secondary payload. No document body or script content was available for further analysis, but the exploit itself is the primary indicator of malicious intent.

Heuristics 4

  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.thawte.com0
    • http://ts-ocsp.ws.symantec.com07
    • http://schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1440\margr1440\margt993\margb1440\gutter0\ltrsect
    • http://crl.thawte.com/ThawteTimestampingCA.crl0
    • https://www.globalsign.com/repository/03
    • http://crl.globalsign.net/root.crl0
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    • https://www.globalsign.com/repository/0
    • http://crl.globalsign.com/gs/gscodesigng2.crl0��
    • http://secure.globalsign.com/cacert/gscodesigng2.crt04
    • http://ocsp2.globalsign.com/gscodesigng20

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000740d7.bin
257f62238bb9c59d14ec4165d834a222a24db6c3cd79feb6625cc4c20b47f9c5		 rtf-objdata-decoded RTF \objdata at offset 0x740D7 190548 bytes
rtf_svb_0006c35d.zip
9571f5c674a640f22f30391b781b1d102fb3c45a0055f6ef1839c937a777abaa		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x6C35D 1763 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.