Malicious RTF — malware analysis report

Static analysis result for SHA-256 8bd8b881c7817fc7…

MALICIOUS

RTF

322.2 KB Created: 2017-12-04 11:47:00 First seen: 2020-05-25
MD5: af05148c7b780352d5192dad47affb8b SHA-1: 15f25554d69e13ff2f60d54d415b6a6026f7919a SHA-256: 8bd8b881c7817fc7a771f198aeac2e89881bf268891b11cc2b7be1b2938756e8
124 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects and triggers an object update, indicating an attempt to exploit vulnerabilities related to OLE object activation. Specifically, the CVE-2026-21514 heuristic firing points to a known security bypass in RTF handling. The embedded OLE object, packaged as rtf_svb_0000d1ed.zip, is the likely vector for executing a secondary payload. The document body itself appears to be a benign training schedule, suggesting the malicious content is entirely within the embedded objects.

Heuristics 6

  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00015011.bin rtf-objdata-decoded RTF \objdata at offset 0x15011 114928 bytes
SHA-256: 7affb78d7a666df851ef1061c9c51a2743cc9709934d0c97ef485292b0939000
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objdata_01_off0004d217.bin rtf-objdata-decoded RTF \objdata at offset 0x4D217 6847 bytes
SHA-256: e41db3b920b97d35fee7cad90d8e442e95f33a22b8414d5819876e58889c49d7
objdata_02_off0004d231.bin rtf-objdata-decoded RTF \objdata at offset 0x4D231 6843 bytes
SHA-256: cbf708629437999ba26cf021c20424245fb880bd6c399adc3aa83dd2b149b130
rtf_svb_0000d1ed.zip rtf-svb-package RTF \svb hex-decoded ZIP at offset 0xD1ED 1652 bytes
SHA-256: f106da6d822e1ff9b42c9786eafb8830cce56a1ce820d07daf9dc8a210562784