Malicious RTF — malware analysis report

Static analysis result for SHA-256 61de3df463f94f85…

MALICIOUS

RTF

1.12 MB Authoring application: sftedit 5.41.15.1507
MD5: 20c96609d10b2d497031e1e42970913a SHA-1: 6f2688d24c67b766c4e3fc5de08e3f2137b71fad SHA-256: 61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF file that contains embedded OLE objects. Heuristics indicate a high likelihood of exploitation for CVE-2012-0158, a known vulnerability related to MSCOMCTL.ListView. This suggests the file is designed to exploit this vulnerability to achieve code execution upon opening. The presence of OLE objects and the specific CVE targeted point towards a malicious document, likely delivered via spearphishing.

Heuristics 3

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000012f.bin
0cc6ee56fc552f60089fcfce3ec59ea9713acc1a9f006ac4f4e238d1901c5adf		 rtf-objdata-decoded RTF \objdata at offset 0x12F 14938 bytes
objdata_01_off0000792f.bin
37aa5fe751e5aba26b25a2c786f2c29b5f3208f7759cb31145ae2630179935b8		 rtf-objdata-decoded RTF \objdata at offset 0x792F 40 bytes
objdata_02_off00007997.bin
fbad1dd620a3dca47f3a6c59f5863dd2f0d025302ba636b738d2a47d81b2e18b		 rtf-objdata-decoded RTF \objdata at offset 0x7997 4724 bytes
objdata_03_off000079f8.bin
5bc3f6b8992aaca675581db7734e23302f18b6a5f88a3d82264503e25a4f72d6		 rtf-objdata-decoded RTF \objdata at offset 0x79F8 2355 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.