MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains embedded OLE objects and triggers heuristics related to CVE-2012-0158, indicating exploitation of a vulnerability for client execution. The presence of VirtualAlloc, VirtualProtect, and WriteProcessMemory API calls suggests the execution of shellcode or a payload. The file is likely delivered via spearphishing.
Heuristics 10
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE_2012_0158RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly0009A41B e800000000 call 0x9a420 0009A420 58 pop eax 0009A421 2de616ff00 sub eax, 0xff16e6 0009A426 8945fc mov dword ptr [ebp - 4], eax 0009A429 8b45fc mov eax, dword ptr [ebp - 4] 0009A42C 8be5 mov esp, ebp 0009A42E 5d pop ebp 0009A42F c3 ret 0009A430 55 push ebp 0009A431 8bec mov ebp, esp 0009A433 83ec30 sub esp, 0x30 0009A436 53 push ebx 0009A437 57 push edi 0009A438 c645d063 mov byte ptr [ebp - 0x30], 0x63 0009A43C c645d16c mov byte ptr [ebp - 0x2f], 0x6c 0009A440 c645d265 mov byte ptr [ebp - 0x2e], 0x65 0009A444 c645d361 mov byte ptr [ebp - 0x2d], 0x61 0009A448 c645d472 mov byte ptr [ebp - 0x2c], 0x72 0009A44C c645d565 mov byte ptr [ebp - 0x2b], 0x65 0009A450 c645d672 mov byte ptr [ebp - 0x2a], 0x72 0009A454 c645d772 mov byte ptr [ebp - 0x29], 0x72 0009A458 c645d800 mov byte ptr [ebp - 0x28], 0 0009A45C 8365f400 and dword ptr [ebp - 0xc], 0 0009A460 8365ec00 and dword ptr [ebp - 0x14], 0 0009A464 8365f000 and dword ptr [ebp - 0x10], 0 0009A468 8365f800 and dword ptr [ebp - 8], 0 0009A46C 8365e800 and dword ptr [ebp - 0x18], 0 0009A470 e8a2ffffff call 0x9a417 0009A475 8945e4 mov dword ptr [ebp - 0x1c], eax 0009A478 8b45e4 mov eax, dword ptr [ebp - 0x1c]
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly0009A322 64a130000000 mov eax, dword ptr fs:[0x30] 0009A328 85c0 test eax, eax 0009A32A 780b js 0x9a337 0009A32C 8b400c mov eax, dword ptr [eax + 0xc] 0009A32F 8b4014 mov eax, dword ptr [eax + 0x14] 0009A332 8b00 mov eax, dword ptr [eax] 0009A334 8b4010 mov eax, dword ptr [eax + 0x10] 0009A337 c3 ret 0009A338 33c9 xor ecx, ecx 0009A33A 648b5930 mov ebx, dword ptr fs:[ecx + 0x30] 0009A33E 8b5b0c mov ebx, dword ptr [ebx + 0xc] 0009A341 8b5b1c mov ebx, dword ptr [ebx + 0x1c] 0009A344 8b5308 mov edx, dword ptr [ebx + 8] 0009A347 8b4320 mov eax, dword ptr [ebx + 0x20] 0009A34A 8b1b mov ebx, dword ptr [ebx] 0009A34C 81386d007300 cmp dword ptr [eax], 0x73006d 0009A352 7512 jne 0x9a366 0009A354 81780476006300 cmp dword ptr [eax + 4], 0x630076 0009A35B 7509 jne 0x9a366 0009A35D 81780872007400 cmp dword ptr [eax + 8], 0x740072 0009A364 741a je 0x9a380 0009A366 81384d005300 cmp dword ptr [eax], 0x53004d 0009A36C 75d6 jne 0x9a344 0009A36E 81780456004300 cmp dword ptr [eax + 4], 0x430056 0009A375 75cd jne 0x9a344 0009A377 81780852005400 cmp dword ptr [eax + 8], 0x540052 0009A37E 75c4 jne 0x9a344 0009A380 8bc2 mov eax, edx
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
OLE object data medium RTF_OBJDATARTF contains 8 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0003bfe1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3BFE1 | 440 bytes |
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da |
|||
objdata_01_off0003c3c7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C3C7 | 8897 bytes |
SHA-256: d5b23106abbdb471d7db86498e4fc95635666a99a0d22a634ae0366259448be8 |
|||
objdata_02_off0003e767.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3E767 | 2358 bytes |
SHA-256: f4b6c586b1c2a7d5b2770b0cbaadc821c54ff616bd00a6da75c1ee9e4b4e4a8b |
|||
objdata_03_off00045fa0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x45FA0 | 440 bytes |
SHA-256: a3ff56ef3583baeedafc81ed966eced212a0d05f9c5d12381e72f4bc292b5439 |
|||
objdata_04_off00046386.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x46386 | 167016 bytes |
SHA-256: 7ac4befe7cdd1794606f52b4de9305662334a4befab2427fde9530d7f5fec10f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.65, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.