MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is an RTF document that contains OLE object data, triggering a high-severity heuristic for CVE-2012-0158, a known vulnerability in MSCOMCTL.ListView. The document also contains a lure instructing the user to enable editing, indicating a common malware dropper technique. The embedded URL points to a potential executable payload, suggesting the document's purpose is to exploit the vulnerability and download a secondary stage.
Heuristics 4
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://94.102.63.7/putty.exe
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00000cf1.bin1bbe2f007a5d4ff56cdc382a0492beee80dbe9cd4651c683af7eb8a30c7131b0 |
rtf-objdata-decoded | RTF \objdata at offset 0xCF1 | 5700 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.