Malicious RTF — malware analysis report

Static analysis result for SHA-256 b60c9b59e0310127…

MALICIOUS

RTF

6.65 MB Created: 2021-04-09 13:29:00 First seen: 2021-05-04
MD5: 97b439d4cfe21078da87ca14cab644a6 SHA-1: f8852a5a2e5e7fe367764f3b7f6537aeff869c00 SHA-256: b60c9b59e03101277196bce597701eab5cfb0fd6b37442a5029673a11ffb9295
204 Risk Score

Heuristics 8

  • Equation Editor ProgID + OLE object high CVE related RTF_EQUATION_EDITOR
    RTF references Equation.3 ProgID alongside \objdata — likely Equation Editor (CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798) but without the binary CLSID payload, so flagged at HIGH instead of CRITICAL.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1133KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00659e3f.bin rtf-objdata-decoded RTF \objdata at offset 0x659E3F 132181 bytes
SHA-256: a21b2357aeb060d794eb9aa39f06f9505bf8bf3c78050fcbee7fc701e9efb26e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objdata_01_off0069b154.bin rtf-objdata-decoded RTF \objdata at offset 0x69B154 6962 bytes
SHA-256: 9c365020f3b82b9b13469e60e6bea4da88eac7b125405277cc93117594224ce8
rtf_svb_000d2750.zip rtf-svb-package RTF \svb hex-decoded ZIP at offset 0xD2750 142418 bytes
SHA-256: eeff378f552b14a0900367e451bc5fd8d3313d1aff0a5ace2f963f0303f1db02

Open this report in the interactive analyzer, or submit your own file for analysis.