C99Shell RTF malware analysis — malicious · 9d81b1ee4d5b3adc

MALICIOUS

RTF

153.0 KB

MD5: 9d78b51b1f3ac2de888166f4d94a4158 SHA-1: 1693cfe3172fbb921045f24ad07db1d994446c70 SHA-256: 9d81b1ee4d5b3adc74c203a12b9fe919d716986653820c7da7a327ef1c721f2b

100 Risk Score

Malware Insights

C99Shell · confidence 95%

MITRE ATT&CK

T1059.001 PowerShell T1071.001 Web Protocols

The RTF file contains embedded PHP source code identified as C99Shell, a known IRC bot. The embedded script is designed to execute commands, manage files, and download additional payloads from URLs such as http://ccteam.ru/releases/c99shell. The ClamAV detection and heuristic firings strongly indicate this is a malicious PHP IRC bot. The script itself is designed to provide remote administration capabilities and download further payloads.

Heuristics 3

ClamAV: Php.Trojan.C99Shell-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Php.Trojan.C99Shell-2
PHP IRC bot source embedded in RTF high RTF_PHP_IRC_BOT_SOURCE

RTF document contains PHP source code with IRC socket connection logic, IRC protocol commands, and bot-control indicators. The RTF is acting as a wrapper for bot source rather than an exploit that executes when opened.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ccteam.ru/releases/c99shell\\
- http://ccteam.ru/releases/update/c99shell/
- http://ccteam.ru/releases/cc99shell\\
- http://ccteam.ru\
- http://www.spygrup.org
- http://ccteam.ru/releases/c99shell\

Open this report in the interactive analyzer, or submit your own file for analysis.