Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 feab754463aeb5e9…

MALICIOUS

RTF / .DOC

223.3 KB Created: 2024-10-09 17:53:00 First seen: 2026-06-17
MD5: 45a343479230dc853b8732f292e19cb6 SHA-1: d72c6351c632fd7c7001b1ac5a1636427e9a64dd SHA-256: feab754463aeb5e97f429b4db8c882c3db5a114434527fe3397ff95101d86521
122 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains a critical heuristic firing for remote template injection, pointing to a suspicious URL. This indicates the document is designed to lure the user into enabling content, likely to download and execute a secondary payload from the specified URL. The presence of a hidden OLE package further supports the exploitation of vulnerabilities for execution.

Heuristics 4

  • Remote template injection (\*\template → remote URL) critical CVE related RTF_REMOTE_TEMPLATE
    The RTF's \*\template destination is a remote URL/UNC path. When Word opens the document it fetches and loads that template, which can carry macros or an exploit, deliver a scriptlet/HTA, or leak NTLM credentials over UNC. Benign documents attach only a local template, so a remote \*\template target is template-injection delivery (MITRE T1221). remote \*\template target (Word fetches it on open); destination obfuscated with \uN/\'xx escapes; target is active/script content, not a .dot template.
  • CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
    RTF contains a hidden \svb hex package with DrsE2oDoc and downRevStg drawing compatibility parts. This matches an observed CVE-2026-21514 exploitation shape that manipulates Word's internal document structure and trust decisions.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://greezupdto.info/5IrzalAfHEUM9Tg6/5zbnrP5Dj2BLtwQm.php In RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
rtf_svb_00005a15.zip rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x5A15 1823 bytes
SHA-256: baa27f20bd35c37d5871b1ec82ebfcde5e948e35d8ae25e0bce72f3f7fbb1afb

Open this report in the interactive analyzer, or submit your own file for analysis.