Malicious RTF — malware analysis report

Static analysis result for SHA-256 9681ef910820d553…

MALICIOUS

RTF

4.82 MB Created: 2022-05-02 09:50:00 First seen: 2022-05-17
MD5: 341b5b4c5250098421d16030386caf98 SHA-1: f4e9b40aa4fb56ded5162a25c92d89cd7fc9d9a5 SHA-256: 9681ef910820d553e4cd54286f8893850a3a57a29df7114c6a6b0d89362ff326
220 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

This RTF document contains multiple OLE objects and exhibits excessive hexadecimal data, indicating a packed payload. High-severity heuristics identify exploitation of CVE-2017-8759 and CVE-2026-21514, which are known vulnerabilities for arbitrary code execution in Microsoft Office. The presence of a hidden \svb DrsE2oDoc/downRevStg package further suggests the document is designed to exploit these vulnerabilities to download and execute a secondary payload.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~4551KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0046c427.bin
af3a748a19abf0531e196f8ad5367b5c1e00ef34ff8e389c0117567bd02a7411		 rtf-objdata-decoded RTF \objdata at offset 0x46C427 199932 bytes
objdata_01_off004cde45.bin
0a467cb1960eb1bf5430e360215ebd908c40d7799ae02af52201eed6e72f2a93		 rtf-objdata-decoded RTF \objdata at offset 0x4CDE45 6847 bytes
objdata_02_off004cde5f.bin
6eb384e0660ade828281f95c8930eea79feaf4ba7bf43568430b5ba81227c099		 rtf-objdata-decoded RTF \objdata at offset 0x4CDE5F 6843 bytes
rtf_svb_000890fe.zip
a90558c1d13268b652c00da0e0f258cf0cd1f916d460091a80cb127c5be7ef51		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x890FE 1751 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.