MALICIOUS
222
Risk Score
Heuristics 7
-
CVE-2026-21509 — Shell.Explorer.1 CLSID in RTF critical CVE_2026_21509RTF document contains the Shell.Explorer.1 CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} associated with CVE-2026-21509 (OLE/COM Killbit / Protected View bypass). Actively exploited in the wild.
-
CVE-2026-21514 — Word/OLE security bypass in RTF high CVE likely CVE_2026_21514RTF document contains an embedded Word package with a webSettings frame relationship to a local Windows diagnostics XML target. That matches observed CVE-2026-21514 exploitation, where crafted Word/OLE metadata bypasses Office security decisions when opened.
-
ClamAV: Win.Exploit.CVE_2026_21514-10059348-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.CVE_2026_21514-10059348-0
-
OLE object data medium RTF_OBJDATARTF contains 4 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.168.217.250/scr2.rss In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000c736.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC736 | 2809 bytes |
SHA-256: 6f742319c539b7addcc7e65ed90dfc51bb67acc862d1b794808b46aacd3795d2 |
|||
objdata_01_off0000dde2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xDDE2 | 2609 bytes |
SHA-256: 824f1c364d21d6b527d49299d67c70ee165ce4bf03a7f09b9ca2cd57c8d2f4c1 |
|||
objdata_02_off0000f3e3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF3E3 | 2609 bytes |
SHA-256: f0d55f177c0ae1df502106243867a3de51c105a4f6a45b69288cc35c6bedc5dc |
|||
objdata_03_off00010999.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x10999 | 29044 bytes |
SHA-256: 09287a551626fbb376f0d40893eb8dc359d22f56c42f4ab3d75e66ec31cf5c99 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.