Malicious RTF — malware analysis report

Static analysis result for SHA-256 92b5c30d0dc79082…

MALICIOUS

RTF

664.9 KB First seen: 2024-10-18
MD5: ab386df4cc481edfb162c6bee296d486 SHA-1: 14a552f1030332d42bde74755050331594d8150a SHA-256: 92b5c30d0dc79082e817d0ff06a985ead86dfcdff5d067922a027083eb7aba1e
402 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1003.001 OS Credential Dumping: LSASS Memory T1218.011 System Binary Proxy Execution: Rundll32

The RTF file contains a PowerShell script designed to reflectively load Mimikatz in memory, enabling credential dumping from LSASS without writing the binary to disk. Heuristics indicate the use of APIs like VirtualAlloc, VirtualProtect, WriteProcessMemory, and CreateRemoteThread, consistent with memory injection techniques. The document body explicitly mentions 'Invoke-Mimikatz' and its capability to dump credentials, aligning with the observed heuristics and MITRE ATT&CK techniques.

Heuristics 11

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blog.gentilkiwi.com
    • https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectivePEInjection
    • https://github.com/clymb3r/PowerShell
    • https://github.com/gentilkiwi/mimikatz
    • http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
    • http://www.exploit-monday.com/
    • http://creativecommons.org/licenses/by/3.0/fr/
    • http://clymb3r.wordpress.com/
    • http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
    • http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/
    • http://msdn.microsoft.com/en-us/magazine/cc301808.aspx

Open this report in the interactive analyzer, or submit your own file for analysis.