Malicious RTF — malware analysis report

Static analysis result for SHA-256 93fad419469db805…

MALICIOUS

RTF

82.2 KB First seen: 2026-06-04
MD5: f8ac0567c4006211f265972f51e3e813 SHA-1: 9d92a76209e11b4c0fac8ec619a08edacb66144b SHA-256: 93fad419469db805e426f88cdd5a68e2266995ec9d0fdd45c82c5c1fe337e3f5
62 Risk Score

Heuristics 2

  • PHP webshell / backdoor source critical WEBSHELL_PHP
    The file contains PHP server-side code with the signature of a webshell/backdoor (named PHP webshell banner (FilesMan)). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://noreferer.de/?http://www.exploit-db.com/search/?action=search&description= In RTF body
    • http://noreferer.de/?http://www.google.com/search?q=In RTF body
    • https://hashcracking.ru/index.phpIn RTF body
    • http://md5.rednoize.com/?q=In RTF body
    • http://www.hashcrack.com/index.phpIn RTF body
    • http://toolki.com/In RTF body
    • http://fopo.com.ar/In RTF body
    • http://www.md5decrypter.com/In RTF body
    • https://cdn.jsdelivr.net/particles.js/2.0.0/particles.min.jsIn RTF body
    • http://www.fakenamegenerator.com/In RTF body