Malicious RTF — malware analysis report

Static analysis result for SHA-256 ca7e9c65fd2cec62…

MALICIOUS

RTF

64.9 KB Created: 2022-06-03 02:24:00 First seen: 2022-06-03
MD5: 242d2fa02535599dae793e731b6db5a2 SHA-1: 0646ef9e20628c47c2140c0fc4b51ce3a7ad4c30 SHA-256: ca7e9c65fd2cec62110b50581529198c43b7982820a38c912baa81d0294b8126
202 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is an RTF document that leverages OLE object data and composite monikers to exploit CVE-2017-0199. This vulnerability allows the document to download and execute a secondary payload from a remote URL. The embedded URL 'http://45.76.53.253/1.html' is highly suspicious and likely serves as the source for the malicious payload. The ClamAV detection confirms the presence of a known exploit.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://45.76.53.253/1.html
    • http://schemas.microsoft.com/office/word/2003/wordml}}\paperw11906\paperh16838\margl1800\margr1800\margt1440\margb1440\gutter0\ltrsect

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000071d7.bin
df0fc1cb8163c794e16fe7eea4a5073e2e3a334382fb8d234a81ac177bb8df30		 rtf-objdata-decoded RTF \objdata at offset 0x71D7 2601 bytes
rtf_svb_000050a5.zip
49fe353c34f19ddcab2b8db896134812ab7a6be4c5cb3318102fb7da105a512c		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x50A5 1602 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.