Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f99517a596ecd895…

MALICIOUS

RTF / .DOC

491.8 KB Created: 2010-11-29 16:43:00
MD5: fca2e58207748c32698bb6bdd4659f84 SHA-1: 48d5ea270e2f28e1816dd6fd3b6394c0e44799cc SHA-256: f99517a596ecd895e90fbc8932299efc38ecc7079377445b2fade95f96fdb0a0
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is an RTF document containing OLE object data. Static analysis detected the use of MSCOMCTL.ListView, indicating exploitation of CVE-2012-0158. This vulnerability allows for arbitrary code execution when the document is opened. No further malicious payloads or network indicators were detected in this stage.

Heuristics 3

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE related CVE_2012_0158
    RTF \objdata decodes to OLE data containing the MSCOMCTL.ListView — CVE-2012-0158 CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000073.bin
97d0d2a728e30be8bf0e752e89f5e7866ecd07af7995b4c8fd1dbf057afb61d6		 rtf-objdata-decoded RTF \objdata at offset 0x73 4668 bytes
objdata_01_off00002b59.bin
083b123c6438fa5015598774df2bbc989e131809b240a4476eae52a935ac005a		 rtf-objdata-decoded RTF \objdata at offset 0x2B59 32911 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.