RTF malware analysis — malicious · ea0d8e4d047812b5

MALICIOUS

RTF

1.05 MB First seen: 2015-09-17

MD5: 1a3987414b086a0b3903bdbedcecbdf0 SHA-1: d279cc57d1f3a223f3487408f723a8e47c82a070 SHA-256: ea0d8e4d047812b5fab5b79ea407c09aa316fc4705b44df8fb21629098720bd2

184 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and triggers heuristics for CVE-2012-0158, indicating exploitation of a vulnerability in MSCOMCTL.ListView. It also includes an embedded remote URL which is likely used to download a secondary payload. The excessive hex data within the OLE object further suggests the presence of hidden malicious content.

Heuristics 8

MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158

RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1044KB of hex-encoded data inside \objdata sections — may hide a payload
INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTE

RTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
OLE object data medium RTF_OBJDATA

RTF contains 3 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://nynewsguardianinternet.com/webstat/img.php?id=11174148 In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000dd.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xDD	338392 bytes
SHA-256: `e3a72ddf825a5e6c7d51cf943864678aa3bce86bd8ab9aef8bcec75095b95305`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.77, consistent with packed or encrypted content.
`objdata_01_off000a98a5.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xA98A5	4337 bytes
SHA-256: `e7aec601a0726cff247bacf481ccbabe465effb3b2fb3becd4a82c9b3ea2c405`
`objdata_02_off000abcea.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xABCEA	167010 bytes
SHA-256: `733d1ac3d47fc742fd7c6b5473c357ac3ecf05cfb4da73d3c7e4677077f0bdab`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.56, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.