Malicious RTF — malware analysis report

Static analysis result for SHA-256 b9ca91d4651446f6…

MALICIOUS

RTF

1.87 MB First seen: 2015-07-16
MD5: 3f57988fa30c927eaec2cd3ea07e1345 SHA-1: 02ada56f35fcf701b5f93e4133caef910d51f6b7 SHA-256: b9ca91d4651446f6cd6283af2acc1a14c73e9abc746323cd684b8f208fc42b8f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects with large amounts of hex-encoded data, a common technique for hiding malicious payloads. High-severity heuristics indicate the exploitation of CVE-2012-0158 via MSCOMCTL.ListView, which allows for client-side code execution. The presence of shellcode candidates in extracted artifacts further supports the likelihood of a secondary payload being downloaded and executed.

Heuristics 6

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1694KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000a9.bin rtf-objdata-decoded RTF \objdata at offset 0xA9 826392 bytes
SHA-256: 92688e3c89334dab0a90e64cb1020c2500019ff224a41b33716e6e10d6d154e1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL Carved artifact entropy is 7.41, consistent with packed or encrypted content.
objdata_01_off0019db69.bin rtf-objdata-decoded RTF \objdata at offset 0x19DB69 4337 bytes
SHA-256: c5033a839498798daaf819e0af3d723a82dbcba9a94f4a84cf1251b0a4855a2a
objdata_02_off0019ffae.bin rtf-objdata-decoded RTF \objdata at offset 0x19FFAE 95810 bytes
SHA-256: 711ab89b1d9590611eec5c9f78c48358c743dec21b5b8ad77dc1a9ae6d66f2cc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.62, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.