Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 baad1153e58c86aa…

MALICIOUS

RTF / .DOC

1.36 MB Created: 2026-01-29 17:18:00 First seen: 2026-02-20
MD5: 6408276cdfd12a1d5d3ed7256bfba639 SHA-1: f2f66f4c96f93f17b588736455e9b279c44b6049 SHA-256: baad1153e58c86aa1dc9346cdd06be53b5dd2a6cf76202536d6721c934008f8e
322 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1204 User Execution

The RTF document contains multiple critical heuristic firings indicating exploitation of CVE-2017-8759 and CVE-2026-21509, related to MSXML SAX OLE activation and Shell.Explorer.1 respectively. The presence of excessive hex data within OLE objects and specific CVE firings suggest the document is designed to exploit these vulnerabilities to download and execute a secondary payload from the embedded URL http://192.168.217.250/scr2.rss. The document body, discussing international weapons smuggling, serves as a lure to encourage the user to open the malicious attachment.

Heuristics 9

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE related CVE_2026_21509
    RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF document contains an embedded Word package with a webSettings frame relationship to a local Windows diagnostics XML target. That matches observed CVE-2026-21514 exploitation, where crafted Word/OLE metadata bypasses Office security decisions when opened.
  • ClamAV: Win.Exploit.CVE_2026_21514-10059348-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.CVE_2026_21514-10059348-0
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1299KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.m
    • http://192.168.217.250/scr2.rss

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0014a62d.bin
91a51e305f27b9dfd021ab14f0e9c217c44b065df124469a06494b3e616e5973		 rtf-objdata-decoded RTF \objdata at offset 0x14A62D 2809 bytes
objdata_01_off0014bcd9.bin
1e0329973ff8029c55e784e4bf1c73aead56c2e4f1db6c45c2bc71b052735dd3		 rtf-objdata-decoded RTF \objdata at offset 0x14BCD9 2609 bytes
objdata_02_off0014d2da.bin
bf9ff6efbf43eea6058cb4cbb82e9b3366708bdad294516eb9630b483229d275		 rtf-objdata-decoded RTF \objdata at offset 0x14D2DA 2609 bytes
objdata_03_off0014e890.bin
09287a551626fbb376f0d40893eb8dc359d22f56c42f4ab3d75e66ec31cf5c99		 rtf-objdata-decoded RTF \objdata at offset 0x14E890 29044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.