Malicious RTF — malware analysis report

Static analysis result for SHA-256 873804c07c4b8fd5…

MALICIOUS

RTF

115.2 KB First seen: 2021-11-25
MD5: a93d87d07b91f0dce8348fe1ce91928f SHA-1: 1b6b9c9b52f9eb64900d21ba83fb122b026a9508 SHA-256: 873804c07c4b8fd5ad6c9474b1b32651172e1349c9c9b8e14b546323ac4fc3ca
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and triggers heuristics related to CVE-2012-158/CVE-2012-1856, indicating exploitation of a vulnerability in MSCOMCTL.Toolbar. This suggests the file is designed to execute arbitrary code when opened, likely delivered via spearphishing.

Heuristics 2

  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE related CVE_2012_1856
    RTF \objdata decodes to OLE data containing the MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000a4f.bin rtf-objdata-decoded RTF \objdata at offset 0xA4F 8423 bytes
SHA-256: d3c87e87db8b0e72e2e13517b36df99fe5f79587816081838b711eb1b109ebe1