MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The file is an RTF document containing OLE object data that exploits the CVE-2012-0158 vulnerability. ClamAV identifies this as Win.Trojan.Elpapok-1. The presence of shellcode candidate regions and command strings within the decoded objdata suggests the execution of arbitrary code, likely to download and run a subsequent stage.
Heuristics 5
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
ClamAV: Win.Trojan.Elpapok-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Elpapok-1
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000000a5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA5 | 5065 bytes |
SHA-256: 00bac28d02e735122e3ccfaaa96515921c7aa08e61bc3f916c9be93d3a2805fd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL Static shellcode analysis recovered command string(s): cmd /c "Y_��gd�0
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.