Malicious RTF — malware analysis report

Static analysis result for SHA-256 9b4162f5af7f56fa…

MALICIOUS

RTF

193.6 KB First seen: 2015-09-19
MD5: 2035a8807f0c4fbec4d9a4feead3e770 SHA-1: 51ca03a34ffbba863067d9f6bef7a32a6cd16ef2 SHA-256: 9b4162f5af7f56fa1e98e06aaca0f571b071b6c16324dce547f6a93f64b6d711
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains embedded OLE object data and triggers a high-severity heuristic for CVE-2012-0158, indicating exploitation of a vulnerability in MSCOMCTL.ListView. This suggests the file is designed to execute arbitrary code on a vulnerable system.

Heuristics 2

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000006e.bin rtf-objdata-decoded RTF \objdata at offset 0x6E 4668 bytes
SHA-256: c3afeb5a4b402152a085f74c47fb91d947476302c75afb3ac1823dfdfa3913f5

Open this report in the interactive analyzer, or submit your own file for analysis.