MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple OLE objects and excessive hex-encoded data, indicative of a packed payload. A high-severity heuristic identified the CVE-2012-0158 vulnerability, which is often exploited via RTF documents. The file also attempts to download a secondary payload from the URL http://propay24.ru/4/img.jpg?id=20164197&bid=48A727E8, suggesting a downloader or exploit delivery mechanism.
Heuristics 8
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~6511KB of hex-encoded data inside \objdata sections — may hide a payload
-
INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTERTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
-
OLE object data medium RTF_OBJDATARTF contains 5 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://propay24.ru/4/img.jpg?id=20164197&bid=48A727E8 In RTF body
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000000e9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE9 | 3176112 bytes |
SHA-256: b962a4d0b605062fc3ed67db5617e31eff78b608871144aa9655293ca145aa4e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
objdata_01_off00635b17.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x635B17 | 160 bytes |
SHA-256: b393978842a0fa3d3e1470196f098f473f9678e72463cb65ec4ab5581856c2e4 |
|||
objdata_02_off0063615e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x63615E | 497 bytes |
SHA-256: 8155e5527a649c27a9a3fd2ec4666c1af245ca0a64fd66b991b0f42568a1022b |
|||
objdata_03_off00636777.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x636777 | 4337 bytes |
SHA-256: 9642490640d298d0af84e73a57a60826b1e39cbd8c7efcb46969836077f5d54c |
|||
objdata_04_off00638bc3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x638BC3 | 167010 bytes |
SHA-256: 01ce29b2bad2c55c1fb407a51c2bd1ee43bb61e39434806b20986ed6369dcf2f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.57, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.