MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
T1059.001 PowerShell
The RTF file contains OLE object data with excessive hex-encoded data, indicative of a hidden payload. A critical heuristic identified the CVE-2026-21509 vulnerability, which is associated with the Shell.Explorer.1 CLSID in RTF files. This suggests the document is designed to exploit this vulnerability to achieve arbitrary code execution, likely for downloading and executing a second-stage payload. No scripts were extracted, and the document body content appears benign, focusing on consultation topics related to Ukraine.
Heuristics 4
-
CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE_2026_21509RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1689KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wo
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off001ac71b.bin36a13c9488aaf0ed34254a7f44d963f4b06c214f4438857aec5cbad64049111d |
rtf-objdata-decoded | RTF \objdata at offset 0x1AC71B | 2809 bytes |
objdata_01_off001add71.bin9368bcc57c086f9d26792eee0120444a676c7694ba691b243d066085fcb4cba3 |
rtf-objdata-decoded | RTF \objdata at offset 0x1ADD71 | 2609 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.