MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF file contains embedded OLE objects and triggers heuristics related to CVE-2012-0158, which is an exploit targeting MSCOMCTL.ListView. This indicates the file is designed to exploit this vulnerability to achieve code execution on the victim's machine. No specific family could be identified.
Heuristics 6
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly000BB55A 41 inc ecx 000BB55B 41 inc ecx 000BB55C 41 inc ecx 000BB55D 41 inc ecx 000BB55E 41 inc ecx 000BB55F 41 inc ecx 000BB560 41 inc ecx 000BB561 41 inc ecx 000BB562 41 inc ecx 000BB563 41 inc ecx 000BB564 41 inc ecx 000BB565 41 inc ecx 000BB566 41 inc ecx 000BB567 41 inc ecx 000BB568 41 inc ecx 000BB569 41 inc ecx 000BB56A 41 inc ecx 000BB56B 41 inc ecx 000BB56C 41 inc ecx 000BB56D 41 inc ecx 000BB56E 41 inc ecx 000BB56F 41 inc ecx 000BB570 41 inc ecx 000BB571 41 inc ecx 000BB572 41 inc ecx 000BB573 41 inc ecx 000BB574 41 inc ecx 000BB575 41 inc ecx 000BB576 41 inc ecx 000BB577 41 inc ecx 000BB578 41 inc ecx 000BB579 41 inc ecx 000BB57A 41 inc ecx 000BB57B 41 inc ecx 000BB57C 41 inc ecx 000BB57D 41 inc ecx 000BB57E 41 inc ecx 000BB57F 41 inc ecx 000BB580 41 inc ecx 000BB581 41 inc ecx 000BB582 41 inc ecx 000BB583 41 inc ecx 000BB584 41 inc ecx 000BB585 41 inc ecx 000BB586 41 inc ecx 000BB587 41 inc ecx 000BB588 41 inc ecx 000BB589 41 inc ecx 000BB58A 41 inc ecx 000BB58B 41 inc ecx 000BB58C 41 inc ecx 000BB58D 41 inc ecx 000BB58E 41 inc ecx 000BB58F 41 inc ecx 000BB590 41 inc ecx 000BB591 41 inc ecx 000BB592 41 inc ecx 000BB593 41 inc ecx 000BB594 41 inc ecx 000BB595 41 inc ecx 000BB596 41 inc ecx 000BB597 41 inc ecx 000BB598 41 inc ecx 000BB599 41 inc ecx 000BB59A 41 inc ecx 000BB59B 41 inc ecx 000BB59C 41 inc ecx 000BB59D 41 inc ecx 000BB59E 41 inc ecx 000BB59F 41 inc ecx 000BB5A0 41 inc ecx 000BB5A1 41 inc ecx 000BB5A2 41 inc ecx 000BB5A3 41 inc ecx 000BB5A4 41 inc ecx 000BB5A5 41 inc ecx 000BB5A6 41 inc ecx 000BB5A7 41 inc ecx 000BB5A8 41 inc ecx 000BB5A9 41 inc ecx 000BB5AA 41 inc ecx 000BB5AB 41 inc ecx 000BB5AC 41 inc ecx 000BB5AD 41 inc ecx 000BB5AE 41 inc ecx 000BB5AF 41 inc ecx 000BB5B0 41 inc ecx 000BB5B1 41 inc ecx 000BB5B2 41 inc ecx 000BB5B3 41 inc ecx 000BB5B4 41 inc ecx 000BB5B5 41 inc ecx 000BB5B6 41 inc ecx 000BB5B7 41 inc ecx 000BB5B8 41 inc ecx 000BB5B9 41 inc ecx
-
OLE object data medium RTF_OBJDATARTF contains 5 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000000ab.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAB | 103705 bytes |
SHA-256: cf84537ce3d1a008bb04bd96141d0773f4b9beb129e8ec20e512bc996d6113b2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.70, consistent with packed or encrypted content.
|
|||
objdata_01_off00034052.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x34052 | 440 bytes |
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da |
|||
objdata_02_off000343ee.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x343EE | 4730 bytes |
SHA-256: 8cc1847e88858149520dd1a9feea0efb20610410e0831b2957694921dcf3c5e8 |
|||
objdata_03_off0003444f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3444F | 2360 bytes |
SHA-256: e6dd60646f6317b9d342e28f6bdb71ae12c100a0f1abe02ae6fdc279518e8a4d |
|||
objdata_04_off0003af5f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3AF5F | 167010 bytes |
SHA-256: d87a516edbc8fe96134611ba592a38b2a447d7502f19e04a63d468bc09527571 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.