Malicious RTF — malware analysis report

Static analysis result for SHA-256 0d719a861be02382…

MALICIOUS

RTF

233.5 KB Created: 2020-11-17 12:45:00 First seen: 2021-06-30
MD5: 1c416634774a9301010b33dba9ba9db2 SHA-1: d857ce6e78c3d9bd369f6cde4843773ca905fc76 SHA-256: 0d719a861be02382f98f5a629ae67e298c3359500139ac31f958801c74b72744
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The RTF file contains a critical heuristic indicating remote template injection, pointing to a malicious URL. This suggests the document is designed to trick the user into downloading a malicious template from the specified URL, likely to execute further malicious code. The document body itself appears to be a legitimate-looking plan of measures, which serves as a lure.

Heuristics 2

  • Remote template injection (\*\template → remote URL) critical CVE related RTF_REMOTE_TEMPLATE
    The RTF's \*\template destination is a remote URL/UNC path. When Word opens the document it fetches and loads that template, which can carry macros or an exploit, deliver a scriptlet/HTA, or leak NTLM credentials over UNC. Benign documents attach only a local template, so a remote \*\template target is template-injection delivery (MITRE T1221). remote \*\template target (Word fetches it on open); raw IP host 83.166.246.59.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://83.166.246.59/DELL620-CD18CS1/allocation/allocation/allocation.dot}{ In RTF body
    • http://83.166.246.59/DELL620-CD18CS1/allocation/allocation/allocation.dotIn RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body