Malicious RTF — malware analysis report

Static analysis result for SHA-256 311b61bb45e85533…

MALICIOUS

RTF

98.9 KB Authoring application: Riched20 6.2.9200 First seen: 2014-11-01
MD5: fd24cb92a92a5f309f2d59fc9feccde3 SHA-1: f3e84a2ca5dc6e632c5c97e598275d1f7faade6b SHA-256: 311b61bb45e855331d879038ebcc8addcfb83cfd5dd7b0a70873fa04790d46a0
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF file identified as malicious by ClamAV due to the presence of an embedded OLE object exploiting CVE-2012-0158. This vulnerability allows for arbitrary code execution when the file is opened. The embedded URL suggests a download location for a secondary payload.

Heuristics 6

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • ClamAV: Doc.Exploit.CVE_2012_0158-6826115-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2012_0158-6826115-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://omcasm.lixter.com/2.exe In RTF body

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000015c.bin rtf-objdata-decoded RTF \objdata at offset 0x15C 19276 bytes
SHA-256: 0d6fc6a59f242161a19ce1143b02c3791a87de08e82d95f19da6e3fb3cde3dcf
objdata_01_off0000ed57.bin rtf-objdata-decoded RTF \objdata at offset 0xED57 14939 bytes
SHA-256: 01078634901661b6652349b6ebb95ae96869f541ddda626910de7e2d6cb82321
objdata_02_off00016557.bin rtf-objdata-decoded RTF \objdata at offset 0x16557 40 bytes
SHA-256: 37aa5fe751e5aba26b25a2c786f2c29b5f3208f7759cb31145ae2630179935b8
objdata_03_off000165bf.bin rtf-objdata-decoded RTF \objdata at offset 0x165BF 4652 bytes
SHA-256: 227478728ed39c6fe3173c126a39d5e5ed1cfa66a0431a2dca0bfa13dbbbd006
objdata_04_off00016620.bin rtf-objdata-decoded RTF \objdata at offset 0x16620 2353 bytes
SHA-256: 6546e60fd5538fce447b763ea53fe985ade0cea7386d643784930eac95b9e5c4

Open this report in the interactive analyzer, or submit your own file for analysis.