MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF file contains embedded OLE objects and triggers heuristics related to CVE-2012-0158, which affects the MSCOMCTL.ListView control. This indicates the file is designed to exploit this vulnerability for client-side code execution. No specific family could be identified from the available evidence.
Heuristics 6
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly0009F31F 41 inc ecx 0009F320 41 inc ecx 0009F321 41 inc ecx 0009F322 41 inc ecx 0009F323 41 inc ecx 0009F324 41 inc ecx 0009F325 41 inc ecx 0009F326 41 inc ecx 0009F327 41 inc ecx 0009F328 41 inc ecx 0009F329 41 inc ecx 0009F32A 41 inc ecx 0009F32B 41 inc ecx 0009F32C 41 inc ecx 0009F32D 41 inc ecx 0009F32E 41 inc ecx 0009F32F 41 inc ecx 0009F330 41 inc ecx 0009F331 41 inc ecx 0009F332 41 inc ecx 0009F333 41 inc ecx 0009F334 41 inc ecx 0009F335 41 inc ecx 0009F336 41 inc ecx 0009F337 41 inc ecx 0009F338 41 inc ecx 0009F339 41 inc ecx 0009F33A 41 inc ecx 0009F33B 41 inc ecx 0009F33C 41 inc ecx 0009F33D 41 inc ecx 0009F33E 41 inc ecx 0009F33F 41 inc ecx 0009F340 41 inc ecx 0009F341 41 inc ecx 0009F342 41 inc ecx 0009F343 41 inc ecx 0009F344 41 inc ecx 0009F345 41 inc ecx 0009F346 41 inc ecx 0009F347 41 inc ecx 0009F348 41 inc ecx 0009F349 41 inc ecx 0009F34A 41 inc ecx 0009F34B 41 inc ecx 0009F34C 41 inc ecx 0009F34D 41 inc ecx 0009F34E 41 inc ecx 0009F34F 41 inc ecx 0009F350 41 inc ecx 0009F351 41 inc ecx 0009F352 41 inc ecx 0009F353 41 inc ecx 0009F354 41 inc ecx 0009F355 41 inc ecx 0009F356 41 inc ecx 0009F357 41 inc ecx 0009F358 41 inc ecx 0009F359 41 inc ecx 0009F35A 41 inc ecx 0009F35B 41 inc ecx 0009F35C 41 inc ecx 0009F35D 41 inc ecx 0009F35E 41 inc ecx 0009F35F 41 inc ecx 0009F360 41 inc ecx 0009F361 41 inc ecx 0009F362 41 inc ecx 0009F363 41 inc ecx 0009F364 41 inc ecx 0009F365 41 inc ecx 0009F366 41 inc ecx 0009F367 41 inc ecx 0009F368 41 inc ecx 0009F369 41 inc ecx 0009F36A 41 inc ecx 0009F36B 41 inc ecx 0009F36C 41 inc ecx 0009F36D 41 inc ecx 0009F36E 41 inc ecx 0009F36F 41 inc ecx 0009F370 41 inc ecx 0009F371 41 inc ecx 0009F372 41 inc ecx 0009F373 41 inc ecx 0009F374 41 inc ecx 0009F375 41 inc ecx 0009F376 41 inc ecx 0009F377 41 inc ecx 0009F378 41 inc ecx 0009F379 41 inc ecx 0009F37A 41 inc ecx 0009F37B 41 inc ecx 0009F37C 41 inc ecx 0009F37D 41 inc ecx 0009F37E 41 inc ecx
-
OLE object data medium RTF_OBJDATARTF contains 5 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000000ab.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAB | 103705 bytes |
SHA-256: cf84537ce3d1a008bb04bd96141d0773f4b9beb129e8ec20e512bc996d6113b2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.70, consistent with packed or encrypted content.
|
|||
objdata_01_off00034052.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x34052 | 440 bytes |
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da |
|||
objdata_02_off000343ee.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x343EE | 4730 bytes |
SHA-256: dd2c66016e6c146e590fd8107abc0acb29825bb155d518ba263f76a63287a3b2 |
|||
objdata_03_off0003444f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3444F | 2360 bytes |
SHA-256: e6dd60646f6317b9d342e28f6bdb71ae12c100a0f1abe02ae6fdc279518e8a4d |
|||
objdata_04_off0003af5f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3AF5F | 167010 bytes |
SHA-256: d87a516edbc8fe96134611ba592a38b2a447d7502f19e04a63d468bc09527571 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.