Win.Trojan.Elpapok-1 — RTF malware analysis

Static analysis result for SHA-256 1c74c912401d3546…

MALICIOUS

RTF

208.3 KB First seen: 2015-09-17
MD5: 4c7919d6138f8b56639209f68b031740 SHA-1: 6ce58a86962e0b95268f41c909563d31188d91ea SHA-256: 1c74c912401d3546581c7e2a99a2205f9ba7aa0533c3e6fdad814398aa131c9f
120 Risk Score

Malware Insights

Win.Trojan.Elpapok-1 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data and triggers a critical ClamAV detection for Win.Trojan.Elpapok-1. Static analysis identified the CVE-2012-0158 vulnerability in MSCOMCTL.ListView, indicating a likely exploitation for client execution. The embedded OLE object data is the primary indicator of this exploit.

Heuristics 3

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • ClamAV: Win.Trojan.Elpapok-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Elpapok-1
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000005f.bin rtf-objdata-decoded RTF \objdata at offset 0x5F 4614 bytes
SHA-256: 9d058bf2c99516cfc4becb88322d72d1af5182404806ea004ce5128eacf11217