Malicious RTF — malware analysis report

Static analysis result for SHA-256 8b5dcf528c1d8f2b…

MALICIOUS

RTF

81.4 KB Authoring application: Riched20 6.2.9200 First seen: 2021-07-07
MD5: 7825cfba17b09936966f4b47d27ade40 SHA-1: b16bbae9eb648dedb0c1d5d2ff0176c71efbc4d1 SHA-256: 8b5dcf528c1d8f2b0cd1ecb9ad73c2990599bb2f963adf372d99af9dec0a1b8f
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The RTF document contains heuristics indicating it's designed to lure users into enabling macros and potentially engage in callback phishing. The embedded document body discusses the Melissa macro virus, which propagated via email and contained passwords to adult websites. The presence of VBA code, though truncated, suggests an attempt to execute malicious actions, likely related to the described virus behavior.

Heuristics 5

  • ClamAV: Doc.Trojan.Venom-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Venom-1
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://underground.org/ In RTF body
    • http://www.root.org/In RTF body
    • http://www.root.org/melissa_virus.txtIn RTF body
    • http://housecall.antivirus.com/smex_housecall/In RTF body
    • http://housecall.antivirus.comIn RTF body
    • http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.aspIn RTF body
    • http://housecall.antivirus.com/smex_housecall/technotes.htmlIn RTF body
    • http://securityportal.com/In RTF body
    • http://www.ciac.org/In RTF body
    • http://www.antivirus.com/products/isvw/index.htmIn RTF body
    • http://vil.mcafee.com/vil/vm10120.aspIn RTF body
    • http://www.microsoft.com/security/bulletins/ms99-002.aspIn RTF body
    • http://www.cert.org/tech_tips/incident_reporting.htmlIn RTF body
    • http://www.symantec.com/avcenter/venc/data/mailissa.htmlIn RTF body
    • http://www.nai.com/services/support/vr/free.aspIn RTF body
    • http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.htmlIn RTF body
    • http://www.cert.org/CERT_PGP.keyIn RTF body
    • http://www.cert.org/In RTF body
    • http://www.cert.org/legal_stuff.htmlIn RTF body
    • http://www.symantec.com/techsupp/custom/mailissa.htmlIn RTF body
    • http://ciac.llnl.govIn RTF body
    • http://www.first.org/In RTF body
    • http://www.mit.edu:8001/people/eichin/www/virus/main.htmlIn RTF body
    • http://www.sans.org/webarchives.htmIn RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.