Malicious RTF — malware analysis report

Static analysis result for SHA-256 0525ba4022a11428…

MALICIOUS

RTF

191.6 KB Authoring application: aaa First seen: 2021-06-20
MD5: 4af6ced3105406337f0adcb59479faf9 SHA-1: b1157a4a6c21681874bd53aacf82f2a72e0d14b7 SHA-256: 0525ba4022a11428e2ef392c42f6a0bdd38fba191836124f9587553ed7d559c9
182 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The RTF file contains numerous high-severity heuristic firings related to Windows API calls such as WinExec, CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress. These indicate the file is designed to execute arbitrary code, likely downloading and running a secondary payload. The presence of an embedded URL, though marked as benign, suggests a potential communication channel. The document body is heavily obfuscated and unreadable, providing no further context on the specific lure.

Heuristics 6

  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In RTF body