Malicious RTF — malware analysis report

Static analysis result for SHA-256 780c5ed2a7c0d72c…

MALICIOUS

RTF

411.6 KB First seen: 2015-03-15
MD5: d2ed25c5a16e88a5c62ddc954e0576cd SHA-1: 35c746b1675a4f7f0e8ae9390c86cfbd43949f9b SHA-256: 780c5ed2a7c0d72ce963e0adaabc60a5c0678c1554f550ce8e433fc212894f2f
144 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF file that contains embedded OLE objects, one of which is flagged as exploiting CVE-2012-0158. It also includes a remote URL, http://www.derotsurk.nl/webstat/image.php?id=63202627, which is likely used to download a secondary payload. The presence of the CVE exploit and the remote URL strongly suggest a malicious intent to execute code and download further malware.

Heuristics 7

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE
    RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.derotsurk.nl/webstat/image.php?id=63202627 In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000a8.bin rtf-objdata-decoded RTF \objdata at offset 0xA8 5912 bytes
SHA-256: f8f7fdd40540220cd726a1b79fd2ff9f7039b62f602bc086284bdc7f2a17269b
objdata_01_off00003127.bin rtf-objdata-decoded RTF \objdata at offset 0x3127 4364 bytes
SHA-256: e8ecd18c9c4d8ba070db4c5dc415d30a19052710c72492315eb24c3aeb0de91a
objdata_02_off00005531.bin rtf-objdata-decoded RTF \objdata at offset 0x5531 167010 bytes
SHA-256: 98ee3e191293e76175fa61d056bd8b743ad48ebed1317f910688388fae7ed122
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.