Malicious RTF — malware analysis report

Static analysis result for SHA-256 eb01fa78d3599361…

MALICIOUS

RTF

417.2 KB Authoring application: Msftedit 5.41.15.1515 First seen: 2014-12-09
MD5: 945faa6eac845e8c7c4945179c8e3941 SHA-1: 34028164f2e0582bdc70a9fdfa47fe9bc71f85c8 SHA-256: eb01fa78d3599361b45d83dddfea039e89240c034038978b521d99717ec674e7
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects and triggers a high-severity heuristic for CVE-2012-0158, indicating exploitation of a vulnerability in MSCOMCTL.ListView. This suggests the file is designed to execute arbitrary code upon opening, likely delivered via spearphishing.

Heuristics 6

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • ClamAV: Doc.Exploit.CVE_2012_0158-6826115-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2012_0158-6826115-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000150d.bin rtf-objdata-decoded RTF \objdata at offset 0x150D 8352 bytes
SHA-256: 7ed9713f83d3ce4a2399b2ed72e89e46cbc1bfd2d66381a789296fe16c3f002a
objdata_01_off0000583d.bin rtf-objdata-decoded RTF \objdata at offset 0x583D 4366 bytes
SHA-256: 0f8000af6eb5c10000a384e33a92f58e39dd8e965dca04863891b8e510c84201
objdata_02_off00007bde.bin rtf-objdata-decoded RTF \objdata at offset 0x7BDE 167000 bytes
SHA-256: f1457cd24d386471a59c1e9004b0b7519c0857113ea10397abf893a0a634914a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.