Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 fd3f13db41cd5b44…

MALICIOUS

RTF / .DOC

124.6 KB Created: 2026-01-30 17:20:00 First seen: 2026-02-02
MD5: d47261e52335b516a777da368208ee91 SHA-1: c8c84bf33c05fb3a69bc5e2d6377b73649b93dce SHA-256: fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b
282 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter T1566 Phishing

The file is an RTF document that leverages multiple critical vulnerabilities including CVE-2017-8759, CVE-2026-21509, and CVE-2026-21514, indicating it's designed to exploit security flaws in Microsoft Office applications. The presence of embedded OLE objects and the detection by ClamAV as Win.Exploit further support this. The embedded URL http://192.168.217.250/scr2.rss is likely used to download a secondary payload, which is a common technique for exploit-based documents.

Heuristics 8

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE related CVE_2026_21509
    RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF document contains an embedded Word package with a webSettings frame relationship to a local Windows diagnostics XML target. That matches observed CVE-2026-21514 exploitation, where crafted Word/OLE metadata bypasses Office security decisions when opened.
  • ClamAV: Win.Exploit.CVE_2026_21514-10059348-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.CVE_2026_21514-10059348-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.217.250/scr2.rss
    • http://schemas.microsoft.com/office/word/2003/wordml}}\paperw11906\paperh16838\margl1134\margr1134\margt1134\margb1134\gutter0\ltrsect

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000c736.bin
6f742319c539b7addcc7e65ed90dfc51bb67acc862d1b794808b46aacd3795d2		 rtf-objdata-decoded RTF \objdata at offset 0xC736 2809 bytes
objdata_01_off0000dde2.bin
824f1c364d21d6b527d49299d67c70ee165ce4bf03a7f09b9ca2cd57c8d2f4c1		 rtf-objdata-decoded RTF \objdata at offset 0xDDE2 2609 bytes
objdata_02_off0000f3e3.bin
f0d55f177c0ae1df502106243867a3de51c105a4f6a45b69288cc35c6bedc5dc		 rtf-objdata-decoded RTF \objdata at offset 0xF3E3 2609 bytes
objdata_03_off00010999.bin
09287a551626fbb376f0d40893eb8dc359d22f56c42f4ab3d75e66ec31cf5c99		 rtf-objdata-decoded RTF \objdata at offset 0x10999 29044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.