Malicious RTF — malware analysis report

Static analysis result for SHA-256 55879db10628c716…

MALICIOUS

RTF

133.1 KB
MD5: d9737c09475ef49143b33121ef483551 SHA-1: f5f9d86a4e1941fc6809fedb273310594832c6f0 SHA-256: 55879db10628c716426e36f927ddd47697ee50457a0816dc1badc068088742d1
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The RTF document contains heuristics indicating it's designed to lure the user into executing commands via the clipboard and directly displays instructions for using Windows command-line tools like PowerShell. The embedded PHP code, although truncated, suggests a web shell or a downloader, with URLs pointing to potentially malicious domains. The primary intent appears to be facilitating the execution of further malicious code by the user.

Heuristics 3

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://3asfh.net/\
    • http://rst.void.ru
    • http://3asfh.net
    • http://127.0.0.1/r57shell_version/version.php?img=1&version=
    • http://127.0.0.1/r57shell_version/version.php?version=
    • http://3asfh.net//*
    • http://ghc.ru/*

Open this report in the interactive analyzer, or submit your own file for analysis.