RTF / .DOC malware analysis — malicious · c61a761cf63e1410

MALICIOUS

RTF / .DOC

223.3 KB Created: 2024-10-09 17:53:00

MD5: e23a5cb9678473f73a4d9ee24e8aedb1 SHA-1: c01d35cf649c5a3edfa18287d60df6aa46e35401 SHA-256: c61a761cf63e14107e5dfa82aa931bce2342f71288a1435ac2470d1c4bf3c7de

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution: Malicious File T1566.001 Phishing: Spearphishing Attachment

The sample is an RTF document that exploits CVE-2026-21514, a Word/OLE security bypass. It contains a hidden ".zip" package which likely contains the malicious payload. The document also employs a SE_ENABLE_LURE heuristic, indicating it likely prompts the user to enable macros or editing to execute the exploit. No scripts were extracted, and the document body was unreadable, limiting further analysis of the exact lure.

Heuristics 3

CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514

RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`rtf_svb_00005a15.zip` `baa27f20bd35c37d5871b1ec82ebfcde5e948e35d8ae25e0bce72f3f7fbb1afb`	rtf-svb-package	RTF \svb hex-decoded ZIP at offset 0x5A15	1823 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.