MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f81e70c6951855e27ea34f60a6a32e55148a3a09dea84a3feacbeb649357ceee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f81e70c6951855e27ea34f60a6a32e55148a3a09dea84a3feacbeb649357ceee
SHA3-384 hash: 97ee422a406d0bdcfabc5df2bba5b3312ea0e738798f3b06a39dad18e954764a2b068cad58261e2a68ae64e345d07280
SHA1 hash: e272b1abcdfc65f38799dc0064694dc9b0a6d055
MD5 hash: 6ae497e1b1ba531753fa111520f215b6
humanhash: jig-mirror-pennsylvania-florida
File name:1_1_.doc
Download: download sample
File size:1'766'114 bytes
First seen:2026-03-01 11:42:52 UTC
Last seen:2026-03-01 13:03:06 UTC
File type:Word file doc
MIME type:text/rtf
ssdeep 6144:fm1rI2QHBJLHY1cMNkei0evKSgWH8940PYM30+FzW4CUCkXdwUo05bK:fC2L41cMHeK/l4
TLSH T153854F74F6E52CE6E5087147370934D7A492F3028BD07CAD0269D6F7E7F1AB6821B286
TrID 83.3% (.RTF) Rich Text Format (5000/1)
16.6% (.JSON) JSON object (generic) (1000/1)
Magika rtf
Reporter smica83
Tags:CVE-2026-21509 doc

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted component(s) such as package(s) and OLE files
Link:
https://research.acce.ciphertechsolutions.com/results/478dc314-750f-47ed-bfdc-fb1b29af4cdb/
Malware family:
n/a
ID:
1
File name:
_f81e70c6951855e27ea34f60a6a32e55148a3a09dea84a3feacbeb649357ceee.rtf
Verdict:
Malicious activity
Analysis date:
2026-03-01 11:44:36 UTC
Tags:
generated-doc ole-embedded webdav CVE-2026-21509
Link:
https://app.any.run/tasks/107e2847-6c88-4c80-8b1a-2256e0d25259

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Other.Malware-gen.45518954.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a426528fffa866e3b3b3fb
Tags:
vmdetect virus remo sage
Result
Verdict:
Malicious
File Type:
Fake RTF File
Link:
https://app.docguard.net/f81e70c6951855e27ea34f60a6a32e55148a3a09dea84a3feacbeb649357ceee/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm exploit obfuscated webdav
Link:
https://www.filescan.io/uploads/69a4264f97feb4afd662818f/reports/b22bc169-41c9-4e3f-b96b-a28008da74eb/overview
Verdict:
Malicious
Labled as:
CVE-2026-21509
Link:
https://www.hybrid-analysis.com/sample/f81e70c6951855e27ea34f60a6a32e55148a3a09dea84a3feacbeb649357ceee
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=96d34bcd-3fc7-4c1d-bb2c-2f39afb88d7c
Verdict:
Malicious
File Type:
rtf
Detections:
HEUR:Exploit.MSOffice.CVE-2026-21509.gen
Link:
https://opentip.kaspersky.com/f81e70c6951855e27ea34f60a6a32e55148a3a09dea84a3feacbeb649357ceee/results?tab=lookup
Result
Threat name:
CVE-2026-21509
Create hunting rule
Detection:
malicious
Classification:
spyw.expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1876460
Signature
Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)
Malicious sample detected (through community Yara rule)
Microsoft Office loads Shell.Explorer.1 (likely related to CVE-2026-21509)
Multi AV Scanner detection for submitted file
Opens network shares
Suricata IDS alerts for network traffic
Yara detected CVE-2026-21509
Behaviour
Behavior Graph:
Download SVG
Score:
4%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/f81e70c6951855e27ea34f60a6a32e55148a3a09dea84a3feacbeb649357ceee
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f81e70c6951855e27ea34f60a6a32e55148a3a09dea84a3feacbeb649357ceee/
Verdict:
Malicious
Threat:
CVE-2026-21509
Link:
https://tip.neiki.dev/file/f81e70c6951855e27ea34f60a6a32e55148a3a09dea84a3feacbeb649357ceee
Threat name:
Win32.Exploit.CVE-2026-21509
Create hunting rule
Status:
Malicious
First seen:
2026-03-01 11:43:22 UTC
File Type:
Document
Extracted files:
21
AV detection:
9 of 35 (25.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7aphbruvdbk6e7vdj5qknizokukiuoqj32ueup7kzpvwje2xz3xa._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/260301-nvmm1ae19d/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/f81e70c6951855e27ea34f60a6a32e55148a3a09dea84a3feacbeb649357ceee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_RTF_with_potential_CVE_2026_21509_exploit_nows
Create hunting rule
Author:Philippe Lagadec
Description:Detects RTF files containing a Shell.Explorer.1 OLE object, possibly an exploit for CVE-2026-21509
Reference:https://decalage.info/CVE-2026-21509/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments