MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The RTF file contains embedded PHP source code identified as an IRC bot. The script is configured to join the channel '#Intau' with a password 'fir' and uses a list of 'biarlah|NNN|' nicknames. This suggests the file is a dropper or carrier for a malicious IRC bot, likely used for remote administration or coordination of malicious activities.
Heuristics 2
-
PHP webshell / backdoor source critical WEBSHELL_PHPThe file contains PHP server-side code with the signature of a webshell/backdoor (request input fed to a command/code-exec sink with a decoder/second sink (RCE backdoor)). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
-
PHP IRC bot source embedded in RTF high RTF_PHP_IRC_BOT_SOURCERTF document contains PHP source code with IRC socket connection logic, IRC protocol commands, and bot-control indicators. The RTF is acting as a wrapper for bot source rather than an exploit that executes when opened.
Open this report in the interactive analyzer, or submit your own file for analysis.