Malicious RTF — malware analysis report

Static analysis result for SHA-256 4c93e35389b25935…

MALICIOUS

RTF

279.2 KB First seen: 2015-06-30
MD5: ae07906dfc77cc38c1bda3c82859ab48 SHA-1: cf4d668c6e0f7912c13ce2b73add4972bc3d6f4e SHA-256: 4c93e35389b259352e1b8fe0c90a4d8e6770b5b2bb8a53e571ee505d681b3a8c
144 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE objects and triggers the CVE-2012-0158 vulnerability. It also includes a remote URL, suggesting it attempts to download and execute a secondary payload. The presence of OLE objects and the specific CVE indicate a malicious intent to compromise the user's system.

Heuristics 7

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.infodocslibmanagers.com/random/img.php?id=22071827 In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000a8.bin rtf-objdata-decoded RTF \objdata at offset 0xA8 8392 bytes
SHA-256: b2fe6f7f31b0ef0e921ff6d8567a8f8662cc7f1195e5775e8cd474d0c1acd6f9
objdata_01_off00004562.bin rtf-objdata-decoded RTF \objdata at offset 0x4562 4337 bytes
SHA-256: c63e566ce17cf8ae6d45cb3a792d78b3200b1b97891131eafc6a534a3d6334fa
objdata_02_off0000696c.bin rtf-objdata-decoded RTF \objdata at offset 0x696C 95810 bytes
SHA-256: 018c9879976c4352a098d2cea631bf5a6de2660bb5701e4eb29a6125e123d2b0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.63, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.