MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF document contains OLE object data that triggers the CVE-2012-0158 vulnerability, related to the MSCOMCTL.ListView control. This exploit is often used to achieve arbitrary code execution. The presence of heap spray and calls to VirtualAlloc, LoadLibrary, and GetProcAddress indicate the loading and execution of shellcode, which likely downloads and executes a secondary payload.
Heuristics 7
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x06 bytes found
Disassembly
Attempted x86 opcode disassembly0000AF3B 06 push es 0000AF3C 06 push es 0000AF3D 06 push es 0000AF3E 06 push es 0000AF3F 06 push es 0000AF40 06 push es 0000AF41 06 push es 0000AF42 06 push es 0000AF43 06 push es 0000AF44 06 push es 0000AF45 06 push es 0000AF46 06 push es 0000AF47 06 push es 0000AF48 06 push es 0000AF49 06 push es 0000AF4A 06 push es 0000AF4B 06 push es 0000AF4C 06 push es 0000AF4D 06 push es 0000AF4E 06 push es 0000AF4F 06 push es 0000AF50 06 push es 0000AF51 06 push es 0000AF52 06 push es 0000AF53 06 push es 0000AF54 06 push es 0000AF55 06 push es 0000AF56 06 push es 0000AF57 06 push es 0000AF58 06 push es 0000AF59 06 push es 0000AF5A 06 push es 0000AF5B 06 push es 0000AF5C 06 push es 0000AF5D 06 push es 0000AF5E 06 push es 0000AF5F 06 push es 0000AF60 06 push es 0000AF61 06 push es 0000AF62 06 push es 0000AF63 06 push es 0000AF64 06 push es 0000AF65 06 push es 0000AF66 06 push es 0000AF67 06 push es 0000AF68 06 push es 0000AF69 06 push es 0000AF6A 06 push es 0000AF6B 06 push es 0000AF6C 06 push es 0000AF6D 06 push es 0000AF6E 06 push es 0000AF6F 06 push es 0000AF70 06 push es 0000AF71 06 push es 0000AF72 06 push es 0000AF73 06 push es 0000AF74 06 push es 0000AF75 06 push es 0000AF76 06 push es 0000AF77 06 push es 0000AF78 06 push es 0000AF79 06 push es 0000AF7A 06 push es 0000AF7B 06 push es 0000AF7C 06 push es 0000AF7D 06 push es 0000AF7E 06 push es 0000AF7F 06 push es 0000AF80 06 push es 0000AF81 06 push es 0000AF82 06 push es 0000AF83 06 push es 0000AF84 06 push es 0000AF85 06 push es 0000AF86 06 push es 0000AF87 06 push es 0000AF88 06 push es 0000AF89 06 push es 0000AF8A 06 push es 0000AF8B 06 push es 0000AF8C 06 push es 0000AF8D 06 push es 0000AF8E 06 push es 0000AF8F 06 push es 0000AF90 06 push es 0000AF91 06 push es 0000AF92 06 push es 0000AF93 06 push es 0000AF94 06 push es 0000AF95 06 push es 0000AF96 06 push es 0000AF97 06 push es 0000AF98 06 push es 0000AF99 06 push es 0000AF9A 06 push es
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In RTF body
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn RTF body
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn RTF body
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00000072.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x72 | 3826 bytes |
SHA-256: 835c725c512989f8d70f719418a836ba9534ff981f10631ac23423cf31c29af8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.