MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Phishing: Spearphishing Attachment
The RTF file contains multiple OLE objects and excessive hex-encoded data, indicative of a hidden payload. Critical heuristics identify specific vulnerabilities, CVE-2026-21509 and CVE-2026-21514, related to Shell.Explorer.1 CLSID and OLE security bypass within the RTF structure. These findings strongly suggest the file is designed to exploit these vulnerabilities for initial execution.
Heuristics 7
-
CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE_2026_21509RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
-
CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514RTF document contains an embedded Word package with a webSettings frame relationship to a local Windows diagnostics XML target. That matches observed CVE-2026-21514 exploitation, where crafted Word/OLE metadata bypasses Office security decisions when opened.URL http://schemas.m
-
ClamAV: Win.Exploit.CVE_2026_21514-10059348-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.CVE_2026_21514-10059348-0
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1299KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 4 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Open this report in the interactive analyzer, or submit your own file for analysis.