MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1059 Command and Scripting Interpreter
The sample is an RTF document that contains embedded PHP code, identified as r57shell. This web shell is designed to provide remote command execution and file management capabilities on a compromised web server. The embedded URLs point to the r57shell distribution site, indicating its likely purpose is to deploy or update this malicious tool. The heuristic firing SE_LOLBIN_RUN_COMMAND with 'cmd' further suggests command execution capabilities.
Heuristics 3
-
PHP webshell / backdoor source critical WEBSHELL_PHPThe file contains PHP server-side code with the signature of a webshell/backdoor (named PHP webshell banner (r57shell)). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://rst.void.ru In RTF body
- http://rst.void.ru/r57shell_version/version.php?img=1&version=In RTF body
- http://rst.void.ru/r57shell_version/version.php?version=In RTF body
Open this report in the interactive analyzer, or submit your own file for analysis.