MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF document contains an embedded OLE object, identified as a critical heuristic for CVE-2012-0158. This exploit targets the MSCOMCTL.ListView control, indicating the file is designed to execute arbitrary code. The presence of XOR-encoded strings further suggests obfuscation to hide malicious content, likely a downloader for a secondary payload.
Heuristics 3
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODEDFound 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryW', 'GetProcAddress', 'GetProcAddress', 'GetProcAddress'
Disassembly
Attempted x86 opcode disassembly0000ADDB b093 mov al, 0x93 0000ADDD 9d popfd 0000ADDE 98 cwde 0000ADDF b095 mov al, 0x95 0000ADE1 9e sahf 0000ADE2 8e9d8e85bd00 mov ds, word ptr [ebp + 0xbd858e] 0000ADE8 0049fe add byte ptr [ecx - 2], cl 0000ADEB b592 mov ch, 0x92 0000ADED 95 xchg ebp, eax 0000ADEE 88959d909586 mov byte ptr [ebp - 0x796a6f63], dl 0000ADF4 99 cdq 0000ADF5 bf8e958895 mov edi, 0x9588958e 0000ADFA 9f lahf 0000ADFB 9d popfd 0000ADFC 90 nop 0000ADFD af scasd eax, dword ptr es:[edi] 0000ADFE 99 cdq 0000ADFF 9f lahf 0000AE00 88959392bd92 mov byte ptr [ebp - 0x6d426d6d], dl 0000AE06 98 cwde 0000AE07 af scasd eax, dword ptr es:[edi] 0000AE08 8c9592bf9389 mov word ptr [ebp - 0x766c406e], ss 0000AE0E 92 xchg edx, eax 0000AE0F 8800 mov byte ptr [eax], al 0000AE11 61 popal 0000AE12 fe .byte 0xfe 0000AE13 b499 mov ah, 0x99 0000AE15 9d popfd 0000AE16 8c .byte 0x8c 0000AE17 bd9090939f mov ebp, 0x9f939090 0000AE1C 0058fe add byte ptr [eax - 2], bl 0000AE1F b499 mov ah, 0x99 0000AE21 9d popfd 0000AE22 8cae99bd9090 mov word ptr [esi - 0x6f6f4267], gs 0000AE28 93 xchg ebx, eax 0000AE29 9f lahf 0000AE2A 0014fdbb9988b0 add byte ptr [edi*8 - 0x4f776645], dl 0000AE31 93 xchg ebx, eax 0000AE32 9f lahf 0000AE33 9d popfd 0000AE34 90 nop 0000AE35 99 cdq 0000AE36 b592 mov ch, 0x92 0000AE38 9a .byte 0x9a 0000AE39 93 xchg ebx, eax 0000AE3A bd .byte 0xbd
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000006e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6E | 3893 bytes |
SHA-256: 24ab7d449ad81a3dab2d4ad56d1ea549d7c30b3d1272df65c021577ac39943b2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.