MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is an RTF file that triggers the CVE-2012-0158 vulnerability, which allows for arbitrary code execution. The presence of OLE object data further supports this. While no specific family is identified, the exploit mechanism is clear.
Heuristics 5
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EDI)
Disassembly
Attempted x86 opcode disassembly0000DCE9 e800000000 call 0xdcee 0000DCEE 5f pop edi 0000DCEF a4 movsb byte ptr es:[edi], byte ptr [esi] 0000DCF0 1a55a3 sbb dl, byte ptr [ebp - 0x5d] 0000DCF3 45 inc ebp 0000DCF4 74d9 je 0xdccf 0000DCF6 360000 add byte ptr ss:[eax], al 0000DCF9 00da add dl, bl 0000DCFB c539 lds edi, ptr [ecx] 0000DCFD 9e sahf 0000DCFE f759a9 neg dword ptr [ecx - 0x57] 0000DD01 e302 jecxz 0xdd05 0000DD03 90 nop 0000DD04 0000 add byte ptr [eax], al 0000DD06 54 push esp 0000DD07 65c21371 ret 0x7113 0000DD0B cf iretd 0000DD0C 2286f65197ad and al, byte ptr [esi - 0x5268ae0a] 0000DD12 71a6 jno 0xdcba 0000DD14 1271b1 adc dh, byte ptr [ecx - 0x4f] 0000DD17 3a4fc2 cmp cl, byte ptr [edi - 0x3e] 0000DD1A 3c8c cmp al, 0x8c 0000DD1C fa cli 0000DD1D 36d8be01e05351 fdivr dword ptr ss:[esi + 0x5153e001] 0000DD24 be1f000000 mov esi, 0x1f 0000DD29 005ed8 add byte ptr [esi - 0x28], bl 0000DD2C 386594 cmp byte ptr [ebp - 0x6c], ah 0000DD2F 189afa57b7ed sbb byte ptr [edx - 0x1248a806], bl 0000DD35 4f dec edi 0000DD36 0000 add byte ptr [eax], al 0000DD38 0000 add byte ptr [eax], al 0000DD3A 8e1e mov ds, word ptr [esi] 0000DD3C 78cf js 0xdd0d 0000DD3E 044e add al, 0x4e 0000DD40 ca3e91 retf 0x913e 0000DD43 f65a00 neg byte ptr [edx] 0000DD46 b7e5 mov bh, 0xe5 0000DD48 4b dec ebx
-
OLE object data medium RTF_OBJDATARTF contains 4 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In RTF body
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000012f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12F | 14938 bytes |
SHA-256: 43b38d2893b3e8f015394ec8b01b41c9a09ea082c5ef1e57531bb6c69ecca39e |
|||
objdata_01_off0000792f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x792F | 40 bytes |
SHA-256: 37aa5fe751e5aba26b25a2c786f2c29b5f3208f7759cb31145ae2630179935b8 |
|||
objdata_02_off00007997.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7997 | 4735 bytes |
SHA-256: e7f5d503fe6775a6b56903e7fe898e92f2a4e5ba6624d9d15e849866f941c93d |
|||
objdata_03_off000079f8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x79F8 | 2356 bytes |
SHA-256: 0b630dc0bfc216a86fd403651e917f48be40261ed9d4e6ae457652dbcc4bbb7a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.