Malware Insights
The RTF document contains multiple critical heuristic firings indicating exploitation of CVE-2017-8759 and CVE-2026-21509, which are known to facilitate arbitrary code execution. The presence of embedded OLE objects and specific CLSIDs further supports this. The document body, written in Romanian and English, attempts to create a sense of urgency by detailing a supposed criminal smuggling operation, likely a lure to encourage the user to open the malicious content. The embedded URL http://192.168.217.250/scr2.rss is highly suspicious and likely serves as a download location for a secondary payload.
Heuristics 8
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE_2026_21509RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
-
CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514RTF document contains an embedded Word package with a webSettings frame relationship to a local Windows diagnostics XML target. That matches observed CVE-2026-21514 exploitation, where crafted Word/OLE metadata bypasses Office security decisions when opened.
-
ClamAV: Win.Exploit.CVE_2026_21514-10059348-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.CVE_2026_21514-10059348-0
-
OLE object data medium RTF_OBJDATARTF contains 4 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.168.217.250/scr2.rss
- http://schemas.microsoft.com/office/word/2003/wordml}}\paperw11906\paperh16838\margl1134\margr1134\margt1134\margb1134\gutter0\ltrsect
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000ac9a.binffd89acd72cf3f9f5d0dad586522665f75b7e25a03f1a7f42532b4e1ff0cece0 |
rtf-objdata-decoded | RTF \objdata at offset 0xAC9A | 2809 bytes |
objdata_01_off0000c346.bin168317934a425253a40d3e63ff00818048e1003ed0c49c86d2b11d882bb6f679 |
rtf-objdata-decoded | RTF \objdata at offset 0xC346 | 2609 bytes |
objdata_02_off0000d947.bin4639ac27827b5ade2cb50fa8ee9ab1ddbb605b935e0c653c18be9bd2ad82a4ef |
rtf-objdata-decoded | RTF \objdata at offset 0xD947 | 2609 bytes |
objdata_03_off0000eefe.bin09287a551626fbb376f0d40893eb8dc359d22f56c42f4ab3d75e66ec31cf5c99 |
rtf-objdata-decoded | RTF \objdata at offset 0xEEFE | 29044 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.