Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b04339f8e9ce1891…

MALICIOUS

RTF / .DOC

631.5 KB Created: 2021-04-08 20:37:00
MD5: 5c2a6d7c703571d4f8b2ead028dd5fa9 SHA-1: 0e98fdb7798cfb4fb7c5f9cd932a7f78e2cd3eb7 SHA-256: b04339f8e9ce18914d16b8491b560ec5dfb25592ec933e7d759acc6e69ca7b2d
260 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document that leverages multiple OLE object vulnerabilities, including CVE-2017-8759 and CVE-2026-21514, to execute embedded content. The presence of ".objdata" and ".objemb" sections, along with ".objupdate" and "autolink" flags, strongly indicates an attempt to exploit these vulnerabilities for malicious purposes. The document body appears to be a lure, possibly related to financial transactions, which is common for phishing or social engineering attacks.

Heuristics 8

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1570\margr850\margt1134\margb1134\gutter0\ltrsect

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000451c3.bin
4f64ffd99fb259b36c8f8a392eced5c00658c82bdc7c4c18e14c29a326c6d996		 rtf-objdata-decoded RTF \objdata at offset 0x451C3 70981 bytes
objdata_01_off0004b972.bin
1a24c2d47ac5b8311c07422921612f2a5b739ca44b60fcb47b2da00d88ba2736		 rtf-objdata-decoded RTF \objdata at offset 0x4B972 70954 bytes
objdata_02_off0006fa93.bin
1168a119c26543fbaa6e9ad1f2c0221f803fb28859c4a42b2857ff6b316de929		 rtf-objdata-decoded RTF \objdata at offset 0x6FA93 2632 bytes
objdata_03_off00071036.bin
e8d4fe950caed6dcfde26f4b616825bbe11b93458425974b7d075167f675abf7		 rtf-objdata-decoded RTF \objdata at offset 0x71036 12297 bytes
rtf_svb_0000c982.zip
b968a2cec16a2eccd3aa86666a8f79959f25062cf3ec8dcae40e416083f7cd8a		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0xC982 2929 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.