RTF malware analysis — malicious · 26b113ba29b03703

MALICIOUS

RTF

42.1 KB Created: 2022-09-21 23:22:00 First seen: 2023-03-17

MD5: 28e5fceaa9878bfbe967639cf2a2fb9b SHA-1: b9ad129f15e565201d860a04e0e26cce97a254e8 SHA-256: 26b113ba29b037034ee34a7f0fea81f6d5452950e0d26058d9b96946d78570c5

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1059.003 Windows Command Shell

The RTF document contains heuristics indicating the use of ShellExecute and PowerShell, along with a command sequence that directly invokes PowerShell. This PowerShell command is designed to download and execute a batch file ('winint.bat') from the IP address 51.222.103.8. The presence of a related '.crt' file at the same location suggests it may be part of the payload or a component used by the malware.

Heuristics 4

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://51.222.103.8/winint.bat
- http://51.222.103.8/winint.crt
- http://schemas.microsoft.com/office/word/2003/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.