RTF malware analysis — malicious · 2bbcbc88d0461507

MALICIOUS

RTF

657.0 KB Created: 2026-02-04 10:34:00 Authoring application: LibreOffice/25.8.3.2$Linux_X86_64 LibreOffice_project/580$Build-2 First seen: 2026-02-24

MD5: e0d883fa1a601b2fd7b08ba300d7e6f8 SHA-1: 419aaddb4740de5ae83b3bd1af1e7703ac147666 SHA-256: 2bbcbc88d04615079fa17708c62f07ccb138c19bb9ed78ae43f9172cd91931ba

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data that decodes to the Shell.Explorer.1 CLSID, indicating exploitation of CVE-2026-21509. This vulnerability allows for arbitrary code execution, which is likely used to download and execute a second-stage payload. The document body is a fake inspection report, a common lure for social engineering.

Heuristics 2

CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE related CVE_2026_21509

RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0008046a.bin` `6103dca5a9c4740a66cac21035e831952b0edc92dba5a94890f08f47c93a77d7`	rtf-objdata-decoded	RTF \objdata at offset 0x8046A	2610 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.