Malicious RTF — malware analysis report

Static analysis result for SHA-256 507d40eb1542e9c2…

MALICIOUS

RTF

11.67 MB Created: 2026-04-09 21:23:00 First seen: 2026-04-13
MD5: f4f225488a15d32a1f49fa28eeb6b312 SHA-1: d0b2e4a8a6058d5686a7bfbfbfbdc0c6bbe0ed15 SHA-256: 507d40eb1542e9c2a763b765a540153cca93e9b86dbbf4004f28939290bb1135
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The RTF file contains multiple OLE objects with excessive hex-encoded data, a common technique for hiding payloads. The critical heuristic firing indicates the exploitation of CVE-2026-21509 via the Shell.Explorer.1 CLSID, which allows for arbitrary code execution. This suggests the file is designed to exploit this vulnerability to deliver a secondary payload.

Heuristics 3

  • CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE related CVE_2026_21509
    RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~12032KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00b7c474.bin
4ed5475fae1e14c50e54190950669e2fb30cf761c30f5af3d04904b6afc19d8f		 rtf-objdata-decoded RTF \objdata at offset 0xB7C474 419 bytes
objdata_01_off00b7f5bf.bin
87673930d4a2b0b398b7c841c62013e4f07a96a9d8987670b908b0e6a1900013		 rtf-objdata-decoded RTF \objdata at offset 0xB7F5BF 2565 bytes
objdata_02_off00b92286.bin
2648a0a0c1d752ccf479c37e9869b8b7f1853db2cc211670ec7a1879647bd751		 rtf-objdata-decoded RTF \objdata at offset 0xB92286 2565 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.