MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is an RTF file identified as Win.Trojan.Elpapok-1 by ClamAV. It contains OLE object data and triggers a critical heuristic for CVE-2012-0158, indicating exploitation of a vulnerability in MSCOMCTL.ListView to achieve code execution. The presence of shellcode candidate regions in the extracted objdata further supports this. The likely intent is to download and execute a secondary payload.
Heuristics 5
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
ClamAV: Win.Trojan.Elpapok-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Elpapok-1
-
XOR-encoded strings (key 0xAC) critical SC_XOR_ENCODEDFound 4 Windows library/API name(s) XOR-encoded with single-byte key 0xAC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'ExitProcess�'
Disassembly
Attempted x86 opcode disassembly00008893 e0c3 loopne 0x8858 00008895 cdc8 int 0xc8 00008897 e0c5 loopne 0x885e 00008899 ce into 0000889A decd fmulp st(5) 0000889C de .byte 0xde 0000889D d5ed aad 0xed 0000889F ac lodsb al, byte ptr [esi] 000088A0 ac lodsb al, byte ptr [esi] 000088A1 48 dec eax 000088A2 ad lodsd eax, dword ptr [esi] 000088A3 e1d9 loope 0x887e 000088A5 c0d8c5 rcr al, 0xc5 000088A8 ee out dx, al 000088A9 d5d8 aad 0xd8 000088AB c9 leave 000088AC f8 clc 000088AD c3 ret 000088AE fb sti 000088AF c5 .byte 0xc5 000088B0 c8c9efc4 enter -0x1037, -0x3c 000088B4 cdde int 0xde 000088B6 ac lodsb al, byte ptr [esi] 000088B7 13ade0efe1cd adc ebp, dword ptr [ebp - 0x321e1020] 000088BD dcff fdiv st(7), st(0) 000088BF d8de fcomp st(6) 000088C1 c5 .byte 0xc5 000088C2 c2cbed ret 0xedcb 000088C5 ac lodsb al, byte ptr [esi] 000088C6 ac lodsb al, byte ptr [esi] 000088C7 6c insb byte ptr es:[edi], dx 000088C8 ad lodsd eax, dword ptr [esi] 000088C9 e0ef loopne 0x88ba 000088CB e1cd loope 0x889a 000088CD dcff fdiv st(7), st(0) 000088CF d8de fcomp st(6) 000088D1 c5 .byte 0xc5 000088D2 c2cbfb ret 0xfbcb 000088D5 ac lodsb al, byte ptr [esi] 000088D6 ac lodsb al, byte ptr [esi] 000088D7 ffadebc9d8ff jmp ptr [ebp - 0x273615] 000088DD d8de fcomp st(6) 000088DF c5 .byte 0xc5 000088E0 c2cbf8 ret 0xf8cb 000088E3 d5dc aad 0xdc 000088E5 c9 leave 000088E6 ed in eax, dx 000088E7 ac lodsb al, byte ptr [esi] 000088E8 ac lodsb al, byte ptr [esi] 000088E9 fa cli 000088EA ad lodsd eax, dword ptr [esi] 000088EB ebc9 jmp 0x88b6 000088ED d8ff fdivr st(7) 000088EF d8de fcomp st(6) 000088F1 c5 .byte 0xc5 000088F2 c2 .byte 0xc2
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000000a5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA5 | 5000 bytes |
SHA-256: 1a276f438b1e291955a02df5fb4d5638cf6f1f4c804f5ed0c7933a1ad00ca27b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_BIND
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.