MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF document contains an OLE object that triggers the CVE-2012-0158 vulnerability in the MSCOMCTL.ListView control. This indicates the file is designed to exploit this known client-side vulnerability for code execution. ClamAV also identifies the sample as Win.Trojan.Elpapok-1.
Heuristics 4
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
ClamAV: Win.Trojan.Elpapok-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Elpapok-1
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000000a0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA0 | 5065 bytes |
SHA-256: 5b26a6ec5cb485dc3a2c3ee01f16ee91906db7b0b4bbf1870270c07afa12a5b5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.