MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1566.002 Spearphishing Link
T1059.007 JavaScript
The sample is an RTF document that impersonates Microsoft and uses the IRS as a lure to trick the user into clicking a link to verify their tax information, which is a common credential phishing tactic. The document body contains a warning about external emails and directs the user to verify their IRS Tax information, likely leading to a credential harvesting page. The embedded URLs and the heuristic firings strongly suggest a phishing attack.
Heuristics 3
-
Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: http://www.w3.org/TR/REC-html40.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.symanteccloud.com In RTF body
- https://greenir.weebly.com/In RTF body
- http://schemas.microsoft.com/office/2004/12/ommlIn RTF body
- http://www.w3.org/TR/REC-html40In RTF body
Open this report in the interactive analyzer, or submit your own file for analysis.