Malicious RTF — malware analysis report

Static analysis result for SHA-256 ea078216452f5f6d…

MALICIOUS

RTF

169.6 KB Created: 2026-02-04 10:38:00 Authoring application: LibreOffice/25.8.3.2$Linux_X86_64 LibreOffice_project/580$Build-2 First seen: 2026-02-24
MD5: 823a9143613e9a107edb337214f1942b SHA-1: 2e0ce250f5507388c8c31b607ce4204459e0a106 SHA-256: ea078216452f5f6d4eea27bbc062286396a5252e2c267ecc3933d05a4e38da15
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document containing OLE object data. Critical heuristic firings indicate the presence of the Shell.Explorer.1 CLSID, which is associated with the CVE-2026-21509 vulnerability. This suggests the document is designed to exploit this vulnerability for arbitrary code execution. The document body is a form for written explanations related to an administrative offense, likely a lure to encourage opening the malicious RTF.

Heuristics 2

  • CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE related CVE_2026_21509
    RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00006065.bin
748e1f6123e65cd64213aa1b699fc1c3b858c7e94effc1f18ffc5e69a794b858		 rtf-objdata-decoded RTF \objdata at offset 0x6065 2610 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.