Malicious RTF — malware analysis report

Static analysis result for SHA-256 144c2a3db161e8b6…

MALICIOUS

RTF

897.5 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2015-09-16
MD5: 34f9bd2ed5db870a1967c3d81240ebb0 SHA-1: d79a7b7df56c8f4ceb7cd304fa140858133b981d SHA-256: 144c2a3db161e8b63a3db6109e4b843a508899ac6c3898f7ab71622a60c47296
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, including a package object, which is a strong indicator of malicious intent. ClamAV specifically detects this file as Doc.Exploit.CVE_2012_0158-6826115-0, confirming the exploitation of CVE-2012-0158. This exploit allows for client-side execution of arbitrary code, likely to download and run a secondary payload.

Heuristics 6

  • ClamAV: Doc.Exploit.CVE_2012_0158-6826115-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2012_0158-6826115-0
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000010d.bin rtf-objdata-decoded RTF \objdata at offset 0x10D 314600 bytes
SHA-256: b7be88d6ee4ed16cd763db43611c66a2088ccd1cd482d625853a53a28790deb7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.65, consistent with packed or encrypted content.
objdata_01_off0009b9ed.bin rtf-objdata-decoded RTF \objdata at offset 0x9B9ED 95801 bytes
SHA-256: 9508962b3d143bb071a7a06a9ba36ad7938064bb0c1fa49fbd747358554b2c07
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.
objdata_02_off000caffe.bin rtf-objdata-decoded RTF \objdata at offset 0xCAFFE 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_03_off000cb387.bin rtf-objdata-decoded RTF \objdata at offset 0xCB387 4820 bytes
SHA-256: eaf6b94953dd6f54b865265020e4ca0a201070e7c9cd9401177389dd2e279793
objdata_04_off000cb70f.bin rtf-objdata-decoded RTF \objdata at offset 0xCB70F 2347 bytes
SHA-256: f180756a72c49ab825865be56755d2df3b56e2f8a2f1664890de39855704ceb9