Malicious RTF — malware analysis report

Static analysis result for SHA-256 70b11fd6e051fe89…

MALICIOUS

RTF

1.81 MB Created: 2021-11-23 10:59:00
MD5: a6d0890c962e0ddf6d49dbfaea5ad45d SHA-1: d555f4e3866b1eaa50793905b70006dffc66e1e3 SHA-256: 70b11fd6e051fe8922d7f25b5f748a2ce31de5b73bbc79800caade32fa913691
320 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.005 Visual Basic

The RTF document contains a lure instructing the user to 'Enable Editing' and 'Double Click' to view content, a common tactic for malware droppers. It leverages CVE-2017-8759 and CVE-2026-21514, indicating exploitation for client execution. The presence of OLE object data and references to PowerShell and WScript suggest the document is designed to download and execute a second-stage payload.

Heuristics 9

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1646KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off001b6619.bin
2cff77c25eb6e832b6bfa538d87c519099b350de00a20c6ac698a98a6f565bbf		 rtf-objdata-decoded RTF \objdata at offset 0x1B6619 11695 bytes
rtf_svb_00004633.zip
0af44f049db8c4e16d4d6fdd78ef1da0c9ccce116048fa5d73915efc16d52522		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x4633 1765 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.