RTF malware analysis — malicious · 3dd57e5a0a46a579

MALICIOUS

RTF

778.1 KB First seen: 2015-09-20

MD5: 233bd6fda0b07546779a63fa21e24cb0 SHA-1: 0444cc90d69c13318e23f518f2f67a858621be0b SHA-256: 3dd57e5a0a46a5795a552b3aa420d05aa77b09293122e4d64d086a60fdfab3dd

102 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample contains references to VirtualAlloc, LoadLibrary, and GetProcAddress APIs, indicating it likely attempts to allocate memory and load executable code. The embedded URL, though benign, suggests an attempt to fetch a payload. The RTF structure and API calls are consistent with exploitation for client execution.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.