RTF malware analysis — malicious · 3562e23d4d0a2db0

MALICIOUS

RTF

1.2 KB First seen: 2021-07-10

MD5: 96965e5ad0a964d1693fe1bff416550b SHA-1: 82d9525c8341d569acb8ae82b7fb3d0f3c499ae3 SHA-256: 3562e23d4d0a2db09cf771dfdbd2f6fbde864a92e538ba728e128191e850f2c7

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The RTF document contains embedded content that utilizes Windows Script Host to execute a PowerShell command. This command is designed to download a file from 'https://www.7f92a2GA5.jpg' and execute it, likely as a second-stage payload. The use of PowerShell with execution policy bypass and a hidden window indicates a malicious intent to conceal its actions. The document itself appears to be a lure, containing links that may be part of a social engineering attempt.

Heuristics 4

Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.7f92a2GA5.jpg In RTF body
- https://anonfiles.com/In RTF body
- https://www.upload.ee/download/12332559/90b11a08096e17fa65ff/Class1.vbIn RTF body
- https://www.upload.ee/download/12332633/761eb4bd8bfe17fa6fd6/e2.txtIn RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.