MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
T1055.012 Process Hollowing
T1055.001 Process Injection
The RTF file contains references to Windows API functions such as VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, which are commonly used by malware to allocate memory, load libraries, and resolve function addresses for executing shellcode. The presence of these high-severity heuristics suggests the file is designed to download and execute a secondary payload, likely through process injection or hollowing techniques. No specific family could be identified, and no direct IOCs were extracted.
Heuristics 4
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
Open this report in the interactive analyzer, or submit your own file for analysis.