Malicious RTF — malware analysis report

Static analysis result for SHA-256 d257214f5e4bffdf…

MALICIOUS

RTF

40.0 KB Authoring application: sftedit 5.41.15.1507 First seen: 2019-03-18
MD5: 70302fac4672fb5a60b225257c8d39e5 SHA-1: 46f739745da9fe786ab9c3df88ac3576fa962732 SHA-256: d257214f5e4bffdfb7d39dee4e1efc8951d9defa7644c5c027e65dbc3cc1c504
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE objects, with specific heuristics indicating the exploitation of CVE-2012-0158. This vulnerability is known to allow for arbitrary code execution when exploited. The presence of ClamAV detection further confirms the malicious nature of the file, likely delivered as a spearphishing attachment.

Heuristics 4

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • ClamAV: Doc.Exploit.CVE_2012_0158-6826115-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2012_0158-6826115-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000012f.bin rtf-objdata-decoded RTF \objdata at offset 0x12F 14938 bytes
SHA-256: 43b38d2893b3e8f015394ec8b01b41c9a09ea082c5ef1e57531bb6c69ecca39e
objdata_01_off0000792f.bin rtf-objdata-decoded RTF \objdata at offset 0x792F 40 bytes
SHA-256: 37aa5fe751e5aba26b25a2c786f2c29b5f3208f7759cb31145ae2630179935b8
objdata_02_off00007997.bin rtf-objdata-decoded RTF \objdata at offset 0x7997 4720 bytes
SHA-256: 621076be5f901c77e03cf19e67e3cf49f3b992d2035c2ce0b23be66d1ee1ad08
objdata_03_off000079f8.bin rtf-objdata-decoded RTF \objdata at offset 0x79F8 2356 bytes
SHA-256: 0b630dc0bfc216a86fd403651e917f48be40261ed9d4e6ae457652dbcc4bbb7a

Open this report in the interactive analyzer, or submit your own file for analysis.