MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains embedded OLE objects and triggers heuristics for CVE-2012-0158, indicating exploitation of a vulnerability in MSCOMCTL.ListView. The excessive hex data within the objdata sections suggests the presence of a hidden payload. The file's structure and the identified vulnerability point towards a malicious document designed to be delivered via spearphishing.
Heuristics 5
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~4839KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0049db8e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49DB8E | 3194 bytes |
SHA-256: db2f3d42b32b4a8f4fb97f8e081c1534e507c5c718503c9efea52c899dfbe610 |
|||
objdata_01_off0049f668.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49F668 | 5065 bytes |
SHA-256: a268bc486d662f48bab48848a5e843dc96f2ad8e07d6c9f53d6a8b72a13a6ccf |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.