Malicious RTF — malware analysis report

Static analysis result for SHA-256 1363a1a8e843e71d…

MALICIOUS

RTF

914.2 KB First seen: 2015-06-23
MD5: 0530b4088d59aece9ce7040a5ed51989 SHA-1: 230c1d7049d21d5c537884b06f122cb78b837f40 SHA-256: 1363a1a8e843e71daf2c86c495651ff6443614817b4157e3465c6d7cd17c02ed
102 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an RTF document that contains embedded OLE objects, triggering heuristics for CVE-2012-0158, a known vulnerability in MSCOMCTL.ListView. This indicates the file is designed to exploit this vulnerability for client-side execution. The document body contains a generic request for apartment details, which is likely a lure to disguise the malicious intent of the embedded exploit. No scripts were extracted, and the primary threat is the exploitation of the RTF format itself.

Heuristics 5

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000a9.bin rtf-objdata-decoded RTF \objdata at offset 0xA9 325152 bytes
SHA-256: 17e0d4fdfb7e6d8bc5c9df059ba22f222da0d4510f2ea2fdef316062688a0cc1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
objdata_01_off000a2d93.bin rtf-objdata-decoded RTF \objdata at offset 0xA2D93 4337 bytes
SHA-256: 1ec717ec0af49adeddc02629b08b67d1379a81872064f80813797881e8c52224
objdata_02_off000a51d8.bin rtf-objdata-decoded RTF \objdata at offset 0xA51D8 95810 bytes
SHA-256: fd531defb79f49e4077c636864636191ceb4bcdfd311fe6640a7f9390124c7e3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.63, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.