Malicious RTF — malware analysis report

Heuristics 6

• MSCOMCTL.ListView RTF object with shellcode — CVE-2012-0158 critical CVE likely CVE_2012_0158
  RTF embeds an MSCOMCTL ListView ActiveX object in \objdata and the same object stream contains shellcode-like hex bytes (NOP sled plus function-prologue/GetPC style code). This is the weaponized RTF delivery shape of CVE-2012-0158, including payload evidence, not just a benign reference to the control.
• CVE-2012-0158 RTF embedded encrypted payload high CVE related RTF_CVE_2012_0158_EMBEDDED_PAYLOAD
  The CVE-2012-0158 document embeds a large high-entropy binary blob — the encrypted/packed second-stage payload the exploit shellcode drops and runs. Hex-encoded object data cannot reach this entropy, so the region is genuine binary, not markup. The payload is encrypted in the file, so it is surfaced as an IOC (offset, size, SHA-256) rather than a decoded executable.
• ClamAV: Rtf.Exploit.Cve_2014_1761-2 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Rtf.Exploit.Cve_2014_1761-2
• XOR-encoded strings (key 0xF3) critical SC_XOR_ENCODED
  Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xF3: 'advapi32.dll', 'advapi32.dll'
  Disassembly hidden — these bytes score as data, not coherent x86 code (4/8 branch targets land on an instruction boundary (50% coherence)).
• OLE object data medium RTF_OBJDATA
  RTF contains 2 \objdata section(s) — embedded OLE objects
• OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
  RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Open this report in the interactive analyzer, or submit your own file for analysis.