RTF malware analysis — malicious · 19faec9364a5eab8

MALICIOUS

RTF

1.05 MB First seen: 2015-09-30

MD5: 894ab3448048eff91333b478e52ca370 SHA-1: 9908a0ff6b4f25d8ff48a82dae9d22a20a2339ad SHA-256: 19faec9364a5eab8a7e5f0111d92ab514e9b74bcf2228c8c719e3588a2272bd4

184 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, with high heuristic scores indicating the exploitation of CVE-2012-0158. One of the embedded objects is linked to a remote URL, suggesting it acts as a downloader for a secondary payload. The presence of large, hex-encoded data within the OLE objects further supports the likelihood of a hidden malicious payload being delivered.

Heuristics 8

MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158

RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1044KB of hex-encoded data inside \objdata sections — may hide a payload
INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE

RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
OLE object data medium RTF_OBJDATA

RTF contains 3 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://nynewsguardianinternet.com/webstat/img.php?id=11174148 In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000dd.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xDD	338392 bytes
SHA-256: `e3a72ddf825a5e6c7d51cf943864678aa3bce86bd8ab9aef8bcec75095b95305`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.77, consistent with packed or encrypted content.
`objdata_01_off000a98a5.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xA98A5	4337 bytes
SHA-256: `e7aec601a0726cff247bacf481ccbabe465effb3b2fb3becd4a82c9b3ea2c405`
`objdata_02_off000abcea.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xABCEA	167010 bytes
SHA-256: `733d1ac3d47fc742fd7c6b5473c357ac3ecf05cfb4da73d3c7e4677077f0bdab`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.56, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.