MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF document contains embedded OLE objects and triggers a high-severity heuristic for CVE-2012-0158, indicating exploitation of MSCOMCTL.ListView. ClamAV also identified the file as Rtf.Dropper.Agent-5914133-0, suggesting it acts as a dropper for further malicious activity.
Heuristics 7
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
ClamAV: Rtf.Dropper.Agent-5914133-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Dropper.Agent-5914133-0
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly000D231F 41 inc ecx 000D2320 41 inc ecx 000D2321 41 inc ecx 000D2322 41 inc ecx 000D2323 41 inc ecx 000D2324 41 inc ecx 000D2325 41 inc ecx 000D2326 41 inc ecx 000D2327 41 inc ecx 000D2328 41 inc ecx 000D2329 41 inc ecx 000D232A 41 inc ecx 000D232B 41 inc ecx 000D232C 41 inc ecx 000D232D 41 inc ecx 000D232E 41 inc ecx 000D232F 41 inc ecx 000D2330 41 inc ecx 000D2331 41 inc ecx 000D2332 41 inc ecx 000D2333 41 inc ecx 000D2334 41 inc ecx 000D2335 41 inc ecx 000D2336 41 inc ecx 000D2337 41 inc ecx 000D2338 41 inc ecx 000D2339 41 inc ecx 000D233A 41 inc ecx 000D233B 41 inc ecx 000D233C 41 inc ecx 000D233D 41 inc ecx 000D233E 41 inc ecx 000D233F 41 inc ecx 000D2340 41 inc ecx 000D2341 41 inc ecx 000D2342 41 inc ecx 000D2343 41 inc ecx 000D2344 41 inc ecx 000D2345 41 inc ecx 000D2346 41 inc ecx 000D2347 41 inc ecx 000D2348 41 inc ecx 000D2349 41 inc ecx 000D234A 41 inc ecx 000D234B 41 inc ecx 000D234C 41 inc ecx 000D234D 41 inc ecx 000D234E 41 inc ecx 000D234F 41 inc ecx 000D2350 41 inc ecx 000D2351 41 inc ecx 000D2352 41 inc ecx 000D2353 41 inc ecx 000D2354 41 inc ecx 000D2355 41 inc ecx 000D2356 41 inc ecx 000D2357 41 inc ecx 000D2358 41 inc ecx 000D2359 41 inc ecx 000D235A 41 inc ecx 000D235B 41 inc ecx 000D235C 41 inc ecx 000D235D 41 inc ecx 000D235E 41 inc ecx 000D235F 41 inc ecx 000D2360 41 inc ecx 000D2361 41 inc ecx 000D2362 41 inc ecx 000D2363 41 inc ecx 000D2364 41 inc ecx 000D2365 41 inc ecx 000D2366 41 inc ecx 000D2367 41 inc ecx 000D2368 41 inc ecx 000D2369 41 inc ecx 000D236A 41 inc ecx 000D236B 41 inc ecx 000D236C 41 inc ecx 000D236D 41 inc ecx 000D236E 41 inc ecx 000D236F 41 inc ecx 000D2370 41 inc ecx 000D2371 41 inc ecx 000D2372 41 inc ecx 000D2373 41 inc ecx 000D2374 41 inc ecx 000D2375 41 inc ecx 000D2376 41 inc ecx 000D2377 41 inc ecx 000D2378 41 inc ecx 000D2379 41 inc ecx 000D237A 41 inc ecx 000D237B 41 inc ecx 000D237C 41 inc ecx 000D237D 41 inc ecx 000D237E 41 inc ecx
-
OLE object data medium RTF_OBJDATARTF contains 5 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000000ab.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAB | 103705 bytes |
SHA-256: cf84537ce3d1a008bb04bd96141d0773f4b9beb129e8ec20e512bc996d6113b2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.70, consistent with packed or encrypted content.
|
|||
objdata_01_off00034052.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x34052 | 440 bytes |
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da |
|||
objdata_02_off000343ee.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x343EE | 4730 bytes |
SHA-256: dd2c66016e6c146e590fd8107abc0acb29825bb155d518ba263f76a63287a3b2 |
|||
objdata_03_off0003444f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3444F | 2360 bytes |
SHA-256: e6dd60646f6317b9d342e28f6bdb71ae12c100a0f1abe02ae6fdc279518e8a4d |
|||
objdata_04_off0003af5f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3AF5F | 167010 bytes |
SHA-256: d87a516edbc8fe96134611ba592a38b2a447d7502f19e04a63d468bc09527571 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.