Malicious RTF — malware analysis report

Static analysis result for SHA-256 3a5d2c5286f25c7b…

MALICIOUS

RTF

15.7 KB First seen: 2014-04-13
MD5: 663f5d1add95774e85b26a03fa284686 SHA-1: 8d97ca27f6a88bd0572ce8e177ba4deb6624fad3 SHA-256: 3a5d2c5286f25c7b884dbb99df3b033d83be941c78aab76d203d12853444f36d
182 Risk Score

Heuristics 5

  • ClamAV: Win.Worm.Mantan-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.Mantan-1
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • ASP webshell / backdoor source high WEBSHELL_ASP
    The file contains classic ASP webshell code — eval/Execute over Request input, or WScript.Shell.Run of request data — i.e. server-side remote-command-execution backdoor source.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe In RTF body
    • http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exeIn RTF body
    • http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exeIn RTF body
    • http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exeIn RTF body
    • http://www.mirc.comIn RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.