MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains embedded OLE objects and exhibits characteristics of known exploits, specifically CVE-2026-21509 and CVE-2026-21514, which are designed to bypass security mechanisms in Microsoft Office. The presence of a suspicious URL, http://192.168.217.250/scr2.rss, suggests a potential download or command-and-control channel. The document body's content about weapons smuggling appears to be a lure to disguise the malicious intent.
Heuristics 8
-
CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE_2026_21509RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
-
CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514RTF document contains an embedded Word package with a webSettings frame relationship to a local Windows diagnostics XML target. That matches observed CVE-2026-21514 exploitation, where crafted Word/OLE metadata bypasses Office security decisions when opened.
-
ClamAV: Win.Exploit.CVE_2026_21514-10059348-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.CVE_2026_21514-10059348-0
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1299KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 4 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.168.217.250/scr2.rss In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0014a62d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x14A62D | 2809 bytes |
SHA-256: 91a51e305f27b9dfd021ab14f0e9c217c44b065df124469a06494b3e616e5973 |
|||
objdata_01_off0014bcd9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x14BCD9 | 2609 bytes |
SHA-256: 1e0329973ff8029c55e784e4bf1c73aead56c2e4f1db6c45c2bc71b052735dd3 |
|||
objdata_02_off0014d2da.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x14D2DA | 2609 bytes |
SHA-256: bf9ff6efbf43eea6058cb4cbb82e9b3366708bdad294516eb9630b483229d275 |
|||
objdata_03_off0014e890.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x14E890 | 29044 bytes |
SHA-256: 09287a551626fbb376f0d40893eb8dc359d22f56c42f4ab3d75e66ec31cf5c99 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.