Malicious RTF — malware analysis report

Static analysis result for SHA-256 78e41af885bcbe26…

MALICIOUS

RTF

4.90 MB Authoring application: Msftedit 5.41.21.2509 First seen: 2015-10-01
MD5: a707d3a97a50f3c774d779f8c69b0337 SHA-1: de3e55bb3ad056ab8a0cf6f843fb6d84bc4fed8f SHA-256: 78e41af885bcbe26ab0d7064cd43cf55525f0835c5983eb44fb47a8195e78218
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects and triggers heuristics for CVE-2012-0158, indicating exploitation of a vulnerability in MSCOMCTL.ListView. The excessive hex data within the objdata sections suggests the presence of a hidden payload. The file's structure and the identified vulnerability point towards a malicious document designed to be delivered via spearphishing.

Heuristics 5

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~4839KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0049db8e.bin rtf-objdata-decoded RTF \objdata at offset 0x49DB8E 3194 bytes
SHA-256: db2f3d42b32b4a8f4fb97f8e081c1534e507c5c718503c9efea52c899dfbe610
objdata_01_off0049f668.bin rtf-objdata-decoded RTF \objdata at offset 0x49F668 5065 bytes
SHA-256: a268bc486d662f48bab48848a5e843dc96f2ad8e07d6c9f53d6a8b72a13a6ccf