RTF malware analysis — malicious · 26fd072fda6e12f8

MALICIOUS

RTF

36.1 KB Created: 2017-05-11 14:42:00 First seen: 2019-05-10

MD5: fe68c2dc0d2419b38f44d83f2fcf232e SHA-1: 6c6e49949957215aa2f3dfb72207d249adf36283 SHA-256: 26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The RTF document contains a ransomware lure, instructing the user that their files are encrypted and demanding payment in Bitcoin within a limited timeframe. It also explicitly tells the user to disable their antivirus software, which is a common tactic to prevent detection and removal of malicious components. No scripts were extracted from this sample.

Heuristics 3

Security software disable instruction high SE_SECURITY_BYPASS

Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.