Malicious RTF — malware analysis report

Static analysis result for SHA-256 069c9a18c60d9ffa…

MALICIOUS

RTF

6.61 MB Authoring application: Msftedit 5.41.15.1515 First seen: 2018-10-07
MD5: cde91403be0c15c2a964bd30fd9e9a66 SHA-1: 3ecfeb05b37414f9db5249030d292b64e1d5dabe SHA-256: 069c9a18c60d9ffa96c7ffe8262acf3c0e61cc1e455edf81a411427cad455c03
184 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects and excessive hex-encoded data, indicative of a packed payload. A high-severity heuristic identified the CVE-2012-0158 vulnerability, which is often exploited via RTF documents. The file also attempts to download a secondary payload from the URL http://propay24.ru/4/img.jpg?id=20164197&bid=48A727E8, suggesting a downloader or exploit delivery mechanism.

Heuristics 8

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~6511KB of hex-encoded data inside \objdata sections — may hide a payload
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://propay24.ru/4/img.jpg?id=20164197&bid=48A727E8 In RTF body

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000e9.bin rtf-objdata-decoded RTF \objdata at offset 0xE9 3176112 bytes
SHA-256: b962a4d0b605062fc3ed67db5617e31eff78b608871144aa9655293ca145aa4e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
objdata_01_off00635b17.bin rtf-objdata-decoded RTF \objdata at offset 0x635B17 160 bytes
SHA-256: b393978842a0fa3d3e1470196f098f473f9678e72463cb65ec4ab5581856c2e4
objdata_02_off0063615e.bin rtf-objdata-decoded RTF \objdata at offset 0x63615E 497 bytes
SHA-256: 8155e5527a649c27a9a3fd2ec4666c1af245ca0a64fd66b991b0f42568a1022b
objdata_03_off00636777.bin rtf-objdata-decoded RTF \objdata at offset 0x636777 4337 bytes
SHA-256: 9642490640d298d0af84e73a57a60826b1e39cbd8c7efcb46969836077f5d54c
objdata_04_off00638bc3.bin rtf-objdata-decoded RTF \objdata at offset 0x638BC3 167010 bytes
SHA-256: 01ce29b2bad2c55c1fb407a51c2bd1ee43bb61e39434806b20986ed6369dcf2f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.57, consistent with packed or encrypted content.