r57shell — RTF malware analysis

Static analysis result for SHA-256 1c1d97527d58057b…

MALICIOUS

RTF

133.4 KB First seen: 2026-05-11
MD5: dfde87ed88e3c72abbbd652a8bcaa3bb SHA-1: 48b66243eb8af085211ad1fbffa5f77fd5727957 SHA-256: 1c1d97527d58057be627eedb5669d970b86b064a1ee64914fc17e0b918a80824
102 Risk Score

Malware Insights

r57shell · confidence 90%

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The sample is an RTF document that contains embedded PHP code, identified as r57shell. This web shell is designed to provide remote command execution and file management capabilities on a compromised web server. The embedded URLs point to the r57shell distribution site, indicating its likely purpose is to deploy or update this malicious tool. The heuristic firing SE_LOLBIN_RUN_COMMAND with 'cmd' further suggests command execution capabilities.

Heuristics 3

  • PHP webshell / backdoor source critical WEBSHELL_PHP
    The file contains PHP server-side code with the signature of a webshell/backdoor (named PHP webshell banner (r57shell)). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rst.void.ru In RTF body
    • http://rst.void.ru/r57shell_version/version.php?img=1&version=In RTF body
    • http://rst.void.ru/r57shell_version/version.php?version=In RTF body