MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is an RTF file that triggers the CVE-2012-0158 vulnerability, which allows for arbitrary code execution. The presence of OLE object data further supports this. While no specific family is identified, the exploit mechanism is clear.
Heuristics 5
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EDI)
Disassembly
Attempted x86 opcode disassembly0000DCDF e800000000 call 0xdce4 0000DCE4 5f pop edi 0000DCE5 a4 movsb byte ptr es:[edi], byte ptr [esi] 0000DCE6 1a55a3 sbb dl, byte ptr [ebp - 0x5d] 0000DCE9 45 inc ebp 0000DCEA 74d9 je 0xdcc5 0000DCEC 360000 add byte ptr ss:[eax], al 0000DCEF 00da add dl, bl 0000DCF1 c539 lds edi, ptr [ecx] 0000DCF3 9e sahf 0000DCF4 f759a9 neg dword ptr [ecx - 0x57] 0000DCF7 e302 jecxz 0xdcfb 0000DCF9 90 nop 0000DCFA 0000 add byte ptr [eax], al 0000DCFC 54 push esp 0000DCFD 65c21371 ret 0x7113 0000DD01 cf iretd 0000DD02 2286f65197ad and al, byte ptr [esi - 0x5268ae0a] 0000DD08 71a6 jno 0xdcb0 0000DD0A 1271b1 adc dh, byte ptr [ecx - 0x4f] 0000DD0D 3a4fc2 cmp cl, byte ptr [edi - 0x3e] 0000DD10 3c8c cmp al, 0x8c 0000DD12 fa cli 0000DD13 36d8be01e05351 fdivr dword ptr ss:[esi + 0x5153e001] 0000DD1A be1f000000 mov esi, 0x1f 0000DD1F 005ed8 add byte ptr [esi - 0x28], bl 0000DD22 386594 cmp byte ptr [ebp - 0x6c], ah 0000DD25 189afa57b7ed sbb byte ptr [edx - 0x1248a806], bl 0000DD2B 4f dec edi 0000DD2C 0000 add byte ptr [eax], al 0000DD2E 0000 add byte ptr [eax], al 0000DD30 8e1e mov ds, word ptr [esi] 0000DD32 78cf js 0xdd03 0000DD34 044e add al, 0x4e 0000DD36 ca3e91 retf 0x913e 0000DD39 f65a00 neg byte ptr [edx] 0000DD3C b7e5 mov bh, 0xe5 0000DD3E 4b dec ebx
-
OLE object data medium RTF_OBJDATARTF contains 4 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In RTF body
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000012f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12F | 14938 bytes |
SHA-256: 43b38d2893b3e8f015394ec8b01b41c9a09ea082c5ef1e57531bb6c69ecca39e |
|||
objdata_01_off0000792f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x792F | 40 bytes |
SHA-256: 37aa5fe751e5aba26b25a2c786f2c29b5f3208f7759cb31145ae2630179935b8 |
|||
objdata_02_off00007997.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7997 | 4735 bytes |
SHA-256: 0dbc012d52290f8a784e61c56b2540b229a2e9c038c5b5b975fa35035698ce12 |
|||
objdata_03_off000079f8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x79F8 | 2356 bytes |
SHA-256: 0b630dc0bfc216a86fd403651e917f48be40261ed9d4e6ae457652dbcc4bbb7a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.