Since both B and D were secret, B' and D' are accepted.
Secretly masking data lends to malleability. (EDIT: Not a mask)
EDIT: As CJefferson points out the operation is not a mask, but concatenation of a fixed length random value which invalidates this example. Exploiting this secrecy would require a weakness in SHA256 that allows input prefixes to produce colliding hash states (hard).
Here || denotes concatenation. Therefore your only options are to change where you split B and D into two two strings. If you (as is common) either fix the length of B, or make sure the splitter marker characters can't occur in B, then given C, B and D are fixed.
I compute C = B || D.
I reveal C.
I later choose new data D'.
I compute C = B' || D'.
I reveal B' and D'.
Since both B and D were secret, B' and D' are accepted.
Secretly masking data lends to malleability. (EDIT: Not a mask)
EDIT: As CJefferson points out the operation is not a mask, but concatenation of a fixed length random value which invalidates this example. Exploiting this secrecy would require a weakness in SHA256 that allows input prefixes to produce colliding hash states (hard).