MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The RTF file contains an embedded OLE object that triggers the CVE-2012-0158 vulnerability, related to MSCOMCTL.ListView. This vulnerability allows for the execution of arbitrary code, as indicated by ClamAV detections of Win.Trojan.MSShellcode. The file's purpose is to exploit this known client-side vulnerability for initial execution.
Heuristics 5
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
ClamAV: Win.Trojan.MSShellcode-6360729-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.MSShellcode-6360729-4
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00000169.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x169 | 4667 bytes |
SHA-256: 935675004180963db571fe023128ce01932c0b6873f0fb97544057c76c53dc16 |
|||
|
Detection
ClamAV:
Win.Trojan.MSShellcode-6360729-4
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.