Malicious RTF — malware analysis report

Static analysis result for SHA-256 3dfb5e4bcd9c5c49…

MALICIOUS

RTF

42.2 KB Authoring application: Msftedit 5.41.21.2508 First seen: 2014-04-29
MD5: 2f25807478fa0143f9df199ad8a0849e SHA-1: f604b5acc87578416647e16e1ef502b0f6dafdc6 SHA-256: 3dfb5e4bcd9c5c499bb31511b3126651b0114f4d1f20de7504d3a0aca7a2ab56
62 Risk Score

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.howtotell.com In RTF body
    • http://go.microsoft.com/fwlink/?LinkID=66406In RTF body
    • http://www.microsoft.com/info/nareturns.htmIn RTF body