MALICIOUS
162
Risk Score
Heuristics 5
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
CVE-2012-0158 RTF embedded encrypted payload high RTF_CVE_2012_0158_EMBEDDED_PAYLOADThe CVE-2012-0158 document embeds a large high-entropy binary blob — the encrypted/packed second-stage payload the exploit shellcode drops and runs. Hex-encoded object data cannot reach this entropy, so the region is genuine binary, not markup. The payload is encrypted in the file, so it is surfaced as an IOC (offset, size, SHA-256) rather than a decoded executable.
-
ClamAV: Win.Trojan.Elpapok-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Elpapok-1
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000013c6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x13C6 | 38640 bytes |
SHA-256: cadff2d6a8be5ba7ed85c9ae53689f7a46cba7d02c3b496a5d81b02413939ad7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.