Malicious RTF — malware analysis report

Static analysis result for SHA-256 cb3429e608144909…

MALICIOUS

RTF

664.3 KB Created: 2017-09-26 17:06:00 First seen: 2026-06-21
MD5: b2ae500b7376044ae92976d9e4b65af8 SHA-1: 7352ea59dcd83c3a72784dc381a7b6b5616c6629 SHA-256: cb3429e608144909ef25df2605c24ec253b10b6e99cbb6657afa6b92e9f32fb5
222 Risk Score

Heuristics 5

  • CVE-2017-11826 malformed Word ActiveX package critical CVE likely CVE_2017_11826_ACTIVEX_PACKAGE
    RTF objdata decodes to a Word.Document.12 package with many null-CLSID ActiveX controls, repeated relationships to one oversized activeX1.bin CFB payload, and an extreme compression ratio. This is the submitted CVE-2017-11826 exploit carrier shape and avoids matching ordinary embedded ActiveX controls.
  • ClamAV: Doc.Dropper.Agent-6349423-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6349423-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In document body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0003972d.bin rtf-objdata-decoded RTF \objdata at offset 0x3972D 45 bytes
SHA-256: 083c2e8b44386e792363878581e7e6cc02382e07194162f33517c429dfbcec43
objdata_01_off00039807.bin rtf-objdata-decoded RTF \objdata at offset 0x39807 53297 bytes
SHA-256: b990036fc6897a709f0e1e362d1d2deb67bf245985f7cbc125271ad1ce116388
Detection
ClamAV: Doc.Dropper.Agent-6349423-0
Obfuscation or payload: unlikely
objdata_02_off000538e9.bin rtf-objdata-decoded RTF \objdata at offset 0x538E9 14385 bytes
SHA-256: 5dc51ec81e3463c6839ab957f9d74072710c4a47473574d15ad1ef301d54b882