Malicious RTF — malware analysis report

Static analysis result for SHA-256 8151eda5f0b80e97…

MALICIOUS

RTF

267.6 KB Authoring application: Msftedit 5.41.15.1507 First seen: 2015-09-24
MD5: 6e4dcc181f25b5d20fc71cd11e3afd10 SHA-1: 69b93b1bce58555774d031747ddf434c348bd15d SHA-256: 8151eda5f0b80e97bdbc28841541b99bce15c422e76bf9040be69af30081b695
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and triggers a high-severity heuristic for CVE-2012-0158, indicating exploitation of a vulnerability in MSCOMCTL.ListView. This suggests the file is designed to execute arbitrary code upon opening, likely leading to further malicious activity.

Heuristics 3

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000012d.bin rtf-objdata-decoded RTF \objdata at offset 0x12D 14937 bytes
SHA-256: 59085b56d6ad221c28af4561c99eea43838eeb5026cb37f055aefa0b74d16f53
objdata_01_off00007948.bin rtf-objdata-decoded RTF \objdata at offset 0x7948 440 bytes
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da
objdata_02_off00007ce4.bin rtf-objdata-decoded RTF \objdata at offset 0x7CE4 4735 bytes
SHA-256: 0d1214a7df5c09df9791cd62e487301095a33906d61590cfef15b599b8740a51
objdata_03_off00007d45.bin rtf-objdata-decoded RTF \objdata at offset 0x7D45 2356 bytes
SHA-256: 0b630dc0bfc216a86fd403651e917f48be40261ed9d4e6ae457652dbcc4bbb7a