Malicious RTF — malware analysis report

Static analysis result for SHA-256 6520365f20fe58e5…

MALICIOUS

RTF

43.3 KB Created: 2017-10-12 06:18:00 First seen: 2017-10-28
MD5: 3186de2cada188036d27c11534ec2ac1 SHA-1: e288231bca7a254d9145ea460c4fe2b3c5cf0c74 SHA-256: 6520365f20fe58e52afc467d076bc4cb1096f94ac7ca32ed9c411d66df69c24a
202 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains a critical heuristic firing for CVE-2017-0199, indicating it is weaponized with a URL pointing to a malicious HTA payload. This exploit is used for client execution, likely leading to the download and execution of further malicious content. The embedded URL is the primary indicator of compromise.

Heuristics 6

  • CVE-2017-0199 (OLE2Link / weaponized URL) critical CVE exact CVE_2017_0199_WEAPONIZED_URL
    RTF contains a URL Moniker OLE link to a script/HTA/template-style remote loader, matching the tighter static CVE-2017-0199 shape.
  • ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://almahalliah.com/csc/htaonu.hta In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000269e.bin rtf-objdata-decoded RTF \objdata at offset 0x269E 4664 bytes
SHA-256: 80a7b45c445cb420237ecbfcae6af54e9db8cfa1291d575ee60b0ca2e64b2ec6