MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea078216452f5f6d4eea27bbc062286396a5252e2c267ecc3933d05a4e38da15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea078216452f5f6d4eea27bbc062286396a5252e2c267ecc3933d05a4e38da15
SHA3-384 hash: ece976cb71746dfc37290d51f2665ad27ad79b4d1b1e1ffa93821a029300431235074f5bab9afcacd9808d5ff1f0b83c
SHA1 hash: 2e0ce250f5507388c8c31b607ce4204459e0a106
MD5 hash: 823a9143613e9a107edb337214f1942b
humanhash: carolina-speaker-magnesium-echo
File name:design.rtf
Download: download sample
File size:173'710 bytes
First seen:2026-02-24 17:03:58 UTC
Last seen:2026-03-27 10:57:28 UTC
File type:Rich Text Format (RTF) rtf
MIME type:text/rtf
ssdeep 768:E2bK0ZFQW0paHX7O44444444CEka+Cui+NuQ:PEm
TLSH T1820458996A5D4AB573432C642C27F3CA7674DB7BB320AE3DD5360240905E3A807F6C6B
TrID 83.3% (.RTF) Rich Text Format (5000/1)
16.6% (.JSON) JSON object (generic) (1000/1)
Magika rtf
Reporter smica83
Tags:CVE-2026-21509 rtf

Intelligence

File Origin
# of uploads :
3
# of downloads :
128
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted component(s) such as package(s) and OLE files
Link:
https://research.acce.ciphertechsolutions.com/results/9ea8a000-b0c1-40da-b733-5d7118c0291d/
Malware family:
n/a
ID:
1
File name:
_ea078216452f5f6d4eea27bbc062286396a5252e2c267ecc3933d05a4e38da15.rtf
Verdict:
Malicious activity
Analysis date:
2026-02-24 17:04:29 UTC
Tags:
ole-embedded generated-doc CVE-2026-21509 smb webdav
Link:
https://app.any.run/tasks/0a6e5694-ac50-49bc-8360-ad638b6ca4f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/rtf
Has a screenshot:
False
Contains macros:
False
Detection(s):
SecuriteInfo.com.RTF.Obfuscated-gen.25342448.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699dda17c950ab5d9ab14007
Tags:
n/a
Result
Verdict:
Malicious
File Type:
RTF File
Link:
https://app.docguard.net/ea078216452f5f6d4eea27bbc062286396a5252e2c267ecc3933d05a4e38da15/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
webdav
Link:
https://www.filescan.io/uploads/699dda13cd25bfe1dfd9270b/reports/3b575e0b-141b-4bff-880f-3a139f402a58/overview
Verdict:
Suspicious
Labled as:
TR/Obfuscated
Link:
https://www.hybrid-analysis.com/sample/ea078216452f5f6d4eea27bbc062286396a5252e2c267ecc3933d05a4e38da15
Verdict:
Malicious
File Type:
rtf
Detections:
HEUR:Exploit.RTF.CVE-2026-21509.gen
Link:
https://opentip.kaspersky.com/ea078216452f5f6d4eea27bbc062286396a5252e2c267ecc3933d05a4e38da15/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1874245
Signature
Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)
Malicious sample detected (through community Yara rule)
Microsoft Office loads Shell.Explorer.1 (likely related to CVE-2026-21509)
Multi AV Scanner detection for submitted file
Office drops RTF file
Opens network shares
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1874245 Sample: design.rtf Startdate: 24/02/2026 Architecture: WINDOWS Score: 72 29 rostransnadzor.digital 2->29 31 www.tm.lgincdntcs.msftauth.akadns.net 2->31 33 29 other IPs or domains 2->33 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Office drops RTF file 2->47 8 WINWORD.EXE 509 102 2->8         started        signatures3 process4 dnsIp5 35 rostransnadzor.digital 62.3.58.8, 139, 443, 445 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding Saudi Arabia 8->35 37 prod-eus-resolver.naturallanguageeditorservice.osi.office.net.akadns.net 130.107.71.11, 443, 49741 SRI-AICNETUS United States 8->37 39 2 other IPs or domains 8->39 19 C:\Users\user\Desktop\~$design.rtf, data 8->19 dropped 21 C:\Users\user\Desktop\design.rtf (copy), Rich 8->21 dropped 49 Opens network shares 8->49 51 Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload) 8->51 53 Microsoft Office loads Shell.Explorer.1 (likely related to CVE-2026-21509) 8->53 13 chrome.exe 8->13         started        file6 signatures7 process8 dnsIp9 41 192.168.2.24, 137, 138, 139 unknown unknown 13->41 16 chrome.exe 13->16         started        process10 dnsIp11 23 e329293.dscd.akamaiedge.net 23.206.172.208, 443, 49760 NTT-COMMUNICATIONS-2914US United States 16->23 25 13.107.213.38, 443, 49766 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->25 27 32 other IPs or domains 16->27
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/ea078216452f5f6d4eea27bbc062286396a5252e2c267ecc3933d05a4e38da15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea078216452f5f6d4eea27bbc062286396a5252e2c267ecc3933d05a4e38da15/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/ea078216452f5f6d4eea27bbc062286396a5252e2c267ecc3933d05a4e38da15
Threat name:
Document-RTF.Exploit.CVE-2026-21509
Create hunting rule
Status:
Malicious
First seen:
2026-02-24 17:04:29 UTC
File Type:
Document
Extracted files:
22
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5idyefsff5pw2txke654ayrimolkkjjofqth5tbzgpifutry3ikq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/260224-vlepcsgx3c/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments