RTF / .DOC malware analysis — malicious · b68e729104d051ea

MALICIOUS

RTF / .DOC

16.5 KB

MD5: c3125b3aa095ff7cb5fc4f9b83a3a9ef SHA-1: abf91bec048335328e2d77e07baa35e8de8b186e SHA-256: b68e729104d051eaf3d118f9fd9c3fde81255f2b14f349a9ce421423407e5a77

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious File T1059 Command and Scripting Interpreter T1059.001 PowerShell

The RTF file contains embedded OLE object data, specifically triggering a critical heuristic for CVE-2026-21509. This indicates the file is designed to exploit a vulnerability via the Shell.Explorer.1 CLSID within the RTF structure, likely to achieve arbitrary code execution.

Heuristics 3

CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE related CVE_2026_21509

RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002916.bin` `b5cd2e559d89d7f71821632bdf32eebb5860c03b74d776c189b40329f690fa99`	rtf-objdata-decoded	RTF \objdata at offset 0x2916	2609 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.