MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
T1059.001 PowerShell
The RTF document contains embedded OLE object data, specifically triggering the critical heuristic CVE_2026_21509. This indicates the exploitation of a known vulnerability (CVE-2026-21509) related to the Shell.Explorer.1 CLSID within RTF files. The presence of this exploit suggests the document is designed to execute arbitrary code upon opening, likely as a means to download and run a secondary malicious payload. The document body itself appears to be a benign agenda, suggesting the malicious functionality is entirely contained within the exploit.
Heuristics 3
-
CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE_2026_21509RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
-
OLE object data medium RTF_OBJDATARTF contains 3 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00010d1a.bin4443d5aa1b979f173e17490df80a8e53e5893ac896f7ae1b779793f10de33d59 |
rtf-objdata-decoded | RTF \objdata at offset 0x10D1A | 418 bytes |
objdata_01_off000144cd.bind6bc2a88817db649a1314865aa1c9c651e19e04c338ca7890ebd1577abe9a626 |
rtf-objdata-decoded | RTF \objdata at offset 0x144CD | 2565 bytes |
objdata_02_off000299a6.bin700a88ceada129429444247582a5821764c7e800c6dc3b361d8ca443b96743c1 |
rtf-objdata-decoded | RTF \objdata at offset 0x299A6 | 2565 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.