Malicious RTF — malware analysis report

Static analysis result for SHA-256 832cc791aad64626…

MALICIOUS

RTF

216.3 KB Created: 2014-03-27 04:06:00 First seen: 2017-12-24
MD5: 63cfb80afc7749fb02561eb8f5c6c4cd SHA-1: 5c928d2039aa6437f394f31a5251d15e479f6257 SHA-256: 832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8
342 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

This RTF document exploits known vulnerabilities (CVE-2017-0199, CVE-2017-8759, CVE-2026-21514) to automatically activate OLE objects and download a secondary payload from http://comonscar.in/test4.hta. The document body contains resume-related text, likely serving as a lure to encourage the user to enable content, which is a common technique for malware droppers.

Heuristics 9

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • CVE-2017-0199 (OLE2Link / weaponized URL) critical CVE exact CVE_2017_0199_WEAPONIZED_URL
    RTF contains a URL Moniker OLE link to a script/HTA/template-style remote loader, matching the tighter static CVE-2017-0199 shape.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.hloom.com/download-professional-resume-templates/ In RTF body
    • http://comonscar.in/test4.hta}{In RTF body
    • http://www.hloom.com/how-format-resume-word/In RTF body
    • http://www.hloom.com/download-professional-resume-templates/}{In RTF body
    • http://comonscar.in/test4.htaIn RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000a508.bin rtf-objdata-decoded RTF \objdata at offset 0xA508 3924 bytes
SHA-256: a2c21cda5785a7265080b749878f478f01fc150a93a9d419e480ca1bfcf5edd7
rtf_svb_00004f15.zip rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x4F15 1705 bytes
SHA-256: 61bba745ad3ee15698f3b73cc563dd030785b61915eae53d8a7d4b2bfe9ccf59

Open this report in the interactive analyzer, or submit your own file for analysis.