Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9e78f4e8f9d72868…

MALICIOUS

RTF / .DOC

967.0 KB Created: 2019-12-20 17:39:00
MD5: 60dc66a71403e0b6219ff3386e84e045 SHA-1: 39e57055bd1890d888568e2898b6c34758245c99 SHA-256: 9e78f4e8f9d728685813e6225a333f406a656257d8deaea6dfe9ebb75a3ee374
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The critical heuristic firing for CVE-2017-8759 indicates exploitation of MSXML SAX OLE activation. This suggests the RTF document is designed to trigger this vulnerability upon opening, leading to arbitrary code execution. The presence of OLE object data and embedded OLE objects further supports this attack vector. The likely intent is to download and execute a second-stage payload, although no specific details about the payload were extracted.

Heuristics 6

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.c

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0006d950.bin
4132f47d9a41dad5e621bbbfdfdf466ce7f0c4ffe840739e1e65e235071beb54		 rtf-objdata-decoded RTF \objdata at offset 0x6D950 121902 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.