MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains embedded OLE objects and triggers heuristics related to CVE-2012-0158, indicating exploitation of a vulnerability in MSCOMCTL.ListView. This suggests the file is designed to execute arbitrary code upon opening, likely delivered via spearphishing.
Heuristics 6
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly00090544 41 inc ecx 00090545 41 inc ecx 00090546 41 inc ecx 00090547 41 inc ecx 00090548 41 inc ecx 00090549 41 inc ecx 0009054A 41 inc ecx 0009054B 41 inc ecx 0009054C 41 inc ecx 0009054D 41 inc ecx 0009054E 41 inc ecx 0009054F 41 inc ecx 00090550 41 inc ecx 00090551 41 inc ecx 00090552 41 inc ecx 00090553 41 inc ecx 00090554 41 inc ecx 00090555 41 inc ecx 00090556 41 inc ecx 00090557 41 inc ecx 00090558 41 inc ecx 00090559 41 inc ecx 0009055A 41 inc ecx 0009055B 41 inc ecx 0009055C 41 inc ecx 0009055D 41 inc ecx 0009055E 41 inc ecx 0009055F 41 inc ecx 00090560 41 inc ecx 00090561 41 inc ecx 00090562 41 inc ecx 00090563 41 inc ecx 00090564 41 inc ecx 00090565 41 inc ecx 00090566 41 inc ecx 00090567 41 inc ecx 00090568 41 inc ecx 00090569 41 inc ecx 0009056A 41 inc ecx 0009056B 41 inc ecx 0009056C 41 inc ecx 0009056D 41 inc ecx 0009056E 41 inc ecx 0009056F 41 inc ecx 00090570 41 inc ecx 00090571 41 inc ecx 00090572 41 inc ecx 00090573 41 inc ecx 00090574 41 inc ecx 00090575 41 inc ecx 00090576 41 inc ecx 00090577 41 inc ecx 00090578 41 inc ecx 00090579 41 inc ecx 0009057A 41 inc ecx 0009057B 41 inc ecx 0009057C 41 inc ecx 0009057D 41 inc ecx 0009057E 41 inc ecx 0009057F 41 inc ecx 00090580 41 inc ecx 00090581 41 inc ecx 00090582 41 inc ecx 00090583 41 inc ecx 00090584 41 inc ecx 00090585 41 inc ecx 00090586 41 inc ecx 00090587 41 inc ecx 00090588 41 inc ecx 00090589 41 inc ecx 0009058A 41 inc ecx 0009058B 41 inc ecx 0009058C 41 inc ecx 0009058D 41 inc ecx 0009058E 41 inc ecx 0009058F 41 inc ecx 00090590 41 inc ecx 00090591 41 inc ecx 00090592 41 inc ecx 00090593 41 inc ecx 00090594 41 inc ecx 00090595 41 inc ecx 00090596 41 inc ecx 00090597 41 inc ecx 00090598 41 inc ecx 00090599 41 inc ecx 0009059A 41 inc ecx 0009059B 41 inc ecx 0009059C 41 inc ecx 0009059D 41 inc ecx 0009059E 41 inc ecx 0009059F 41 inc ecx 000905A0 41 inc ecx 000905A1 41 inc ecx 000905A2 41 inc ecx 000905A3 41 inc ecx
-
OLE object data medium RTF_OBJDATARTF contains 4 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000000ab.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAB | 103705 bytes |
SHA-256: cf84537ce3d1a008bb04bd96141d0773f4b9beb129e8ec20e512bc996d6113b2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.70, consistent with packed or encrypted content.
|
|||
objdata_01_off0003405d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3405D | 4662 bytes |
SHA-256: eb1a5369a7e7d342dd985a88def85b32d806406fc834f93058aa185b5efc7fd2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL
|
|||
objdata_02_off00034068.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x34068 | 2333 bytes |
SHA-256: 6a5accfb370051557ec53753b465bc7c90ee9569f5b521b951829cc892299826 |
|||
objdata_03_off0003aca8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3ACA8 | 167010 bytes |
SHA-256: d87a516edbc8fe96134611ba592a38b2a447d7502f19e04a63d468bc09527571 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.