Malicious RTF — malware analysis report

Static analysis result for SHA-256 e1552f04ca253e39…

MALICIOUS

RTF

1.41 MB First seen: 2015-01-04
MD5: 9fbb8d4136ad263459cdbd51644ee657 SHA-1: 7bb6ea632a9944ee90fc2714a362c19451ea0e36 SHA-256: e1552f04ca253e3910d0b3fa0e96bca3ce43561c2cb53162bad1436b4d5f0de5
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains multiple indicators of malicious activity, including embedded OLE objects and excessive hex data, strongly suggesting the presence of a hidden payload. High-confidence heuristics identify exploits for CVE-2012-0158 and CVE-2014-1761, which are commonly used to achieve arbitrary code execution within Microsoft Office applications. The presence of these vulnerabilities indicates the file is designed to exploit a user opening it, likely delivered via spearphishing.

Heuristics 7

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • CVE-2014-1761 — \listoverridecount large value (2611111) high CVE exact CVE_2014_1761
    RTF \listoverridecount value 2611111 far exceeds normal bounds — exploited by CVE-2014-1761 to trigger a heap corruption in Word; used in targeted attacks
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1074KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000a8.bin rtf-objdata-decoded RTF \objdata at offset 0xA8 523952 bytes
SHA-256: b16b37c658c5598bcf7985ec2c5ed133d84687392c136689667d8d0ef51ec9bc
objdata_01_off001065f9.bin rtf-objdata-decoded RTF \objdata at offset 0x1065F9 4365 bytes
SHA-256: 59975f48675c3e6cf9adf6cd186f890fca37d794ccf081fe6a62c20ee7a5cb13
objdata_02_off001089f8.bin rtf-objdata-decoded RTF \objdata at offset 0x1089F8 167000 bytes
SHA-256: 28ff30d2f270473b7bc5fadc95b1bc479a2c83f4179bc038a3e9edf98516b514
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.53, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.