Malicious RTF — malware analysis report

Static analysis result for SHA-256 52dadbf6e3c82d0c…

MALICIOUS

RTF

33.7 KB First seen: 2026-05-10
MD5: 2be34163381df0b83f6fc816361f357d SHA-1: 238d1427fc68cabe18df58564d1ce97586dc1d89 SHA-256: 52dadbf6e3c82d0cd738c588d916f691b518af1aafb46234b615c5b5d2d87334
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The RTF file contains embedded PHP source code identified as an IRC bot. The script is configured to join the channel '#Intau' with a password 'fir' and uses a list of 'biarlah|NNN|' nicknames. This suggests the file is a dropper or carrier for a malicious IRC bot, likely used for remote administration or coordination of malicious activities.

Heuristics 2

  • PHP webshell / backdoor source critical WEBSHELL_PHP
    The file contains PHP server-side code with the signature of a webshell/backdoor (request input fed to a command/code-exec sink with a decoder/second sink (RCE backdoor)). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
  • PHP IRC bot source embedded in RTF high RTF_PHP_IRC_BOT_SOURCE
    RTF document contains PHP source code with IRC socket connection logic, IRC protocol commands, and bot-control indicators. The RTF is acting as a wrapper for bot source rather than an exploit that executes when opened.