MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1071.001 Web Protocols
The RTF file contains embedded PHP source code for an IRC bot, identified by the 'RTF_PHP_IRC_BOT_SOURCE' heuristic. The script is configured to connect to IRC channels and appears to download further payloads or commands from various URLs, such as 'http://pakmin.yourfreehosting.net/perkakas/cmd.txt'. The presence of 'SE_LOLBIN_RUN_COMMAND' suggests the bot may also execute commands on the host system. The overall intent is to establish a remote-controlled backdoor on a compromised web server.
Heuristics 3
-
PHP IRC bot source embedded in RTF high RTF_PHP_IRC_BOT_SOURCERTF document contains PHP source code with IRC socket connection logic, IRC protocol commands, and bot-control indicators. The RTF is acting as a wrapper for bot source rather than an exploit that executes when opened.
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pakmin.yourfreehosting.net/perkakas/cmd.txt
- http://uaedesign.com/config/idfx.txt
- http://legalref.ru/cyberz/logs/fxscanlogger.php
- http://brojolelle.org/bnc/cerewet.txt
- http://legalref.ru/cyberz/installpsy.txt
- http://legalref.ru/cyberz/logs/target.txt
- http://localhost/toolz/id.txt
- http://localhost/toolz/fxscanlogger.php
- http://localhost/toolz/uploadshell.txt
- http://localhost/toolz/installpsy.txt
- http://localhost/toolz/target.txt
- http://h1.ripway.com/bsnet/a.txt
- http://83.222.131.90/~legitimi/mybase/r57.txt
- http://politics.wwf.gr/help/css/faq.txt
- http://galee/preman/r57/shell
Open this report in the interactive analyzer, or submit your own file for analysis.