Malicious RTF / .DOC — malware analysis report

Heuristics 7

• CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE related CVE_2026_21509
  RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
• CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
  RTF document contains an embedded Word package with a webSettings frame relationship to a local Windows diagnostics XML target. That matches observed CVE-2026-21514 exploitation, where crafted Word/OLE metadata bypasses Office security decisions when opened.
  URL http://schemas.microsoft.com/office/word/2003/wordml}{\xmlns2
• ClamAV: Win.Exploit.CVE_2026_21514-10059348-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Win.Exploit.CVE_2026_21514-10059348-0
• Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
  RTF contains ~2133KB of hex-encoded data inside \objdata sections — may hide a payload
• OLE object data medium RTF_OBJDATA
  RTF contains 4 \objdata section(s) — embedded OLE objects
• Embedded OLE object medium RTF_OBJEMB
  RTF contains \objemb — embedded OLE object
• OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
  RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Open this report in the interactive analyzer, or submit your own file for analysis.