Malicious RTF — malware analysis report

Heuristics 8

• CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE related CVE_2026_21509
  RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
• CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514
  RTF document contains an embedded Word package with a webSettings frame relationship to a local Windows diagnostics XML target. That matches observed CVE-2026-21514 exploitation, where crafted Word/OLE metadata bypasses Office security decisions when opened.
• ClamAV: Win.Exploit.CVE_2026_21514-10059348-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Win.Exploit.CVE_2026_21514-10059348-0
• Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
  RTF contains ~4535KB of hex-encoded data inside \objdata sections — may hide a payload
• OLE object data medium RTF_OBJDATA
  RTF contains 4 \objdata section(s) — embedded OLE objects
• Embedded OLE object medium RTF_OBJEMB
  RTF contains \objemb — embedded OLE object
• OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
  RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://192.168.217.250/scr2.rss In RTF body

  • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.