Malicious RTF — malware analysis report

Static analysis result for SHA-256 a3305e6670caf809…

MALICIOUS

RTF

1.23 MB First seen: 2024-08-17
MD5: 4375f32f0f47e89502f6e88c650e5dd6 SHA-1: 54e670f481153a98e337a10f7ae7ad38e19498a5 SHA-256: a3305e6670caf8097bc7bfd20ef934a0885d1478a7ca7ce9068bb91f7749b452
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The RTF document employs a combination of advance-fee scam and password-protected archive lures. It specifically requests recovery secrets or private keys, indicating a phishing attempt to steal sensitive credentials. The embedded URL is highly suspicious and likely part of the credential harvesting infrastructure.

Heuristics 4

  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://id-stage.https://id-test.https://my-mac.avast.comhttps://my-mac-stage.avast.comhttps://my-mac-test.avast.com_TtC9AccountMy25LoginWithTicketParametersticketIDv8@?0swift_getFunctionTypeMetadataGlobalActorswift_getFunctionTypeMetadataGlobalActorStandalone/Applications/CCleaner.app/Contents/Frameworks/AccountMy.framework/Versions/A/AccountMy??wf0????PU0???AppleEmbeddedPCIEPortControlFunctionsite.AppleEmbeddedPCIEPortControlFunction12111ApplePCIEMSIControllersite.ApplePCIEMSIController121111121222121211112211221ApplePCIEMSIController::%s
    • https://comments.adobe.ioCommentingURLx-api-keyAdobeAcrobat5x-api-client-idapi_acrobat_desktop_mac_15.0.0UniqueIdForEureka15.0.0XXXXXXXXXXXXXXXXXXXXXXXX
    • https://reviews.adobe.ioAnnotationscreationId/dev/urandomAcroCoreSyncfullpayloadlinksinvitationURIreviewURIassert_invariantjson.hppm_type
    • https://api2.acrobat.comhttps://v4.services.acrobat.com/https://v3.services.acrobat.com/https://api2.acrobat.com/webservicesbmkzNDZEcnp7WmdFZ35mRntQQnZ8RxdIU3teeW5PaFVJQE9DcG8fYWNbXkRsLg==a01HTX9LM0E9RXt4eEZJZyF+JGdUYRdOTWp0V1FVbFZlbEBJQlB0TVB+fn5KLg==MmFmPTY+Mj4wM2g4azc3KXNwK3Ihcicrfyt/LComekIhR0YXE0ARSUwYGx5LSxsEAAJXAgxSVAoKX1pZBVpdeSNCOGQyNzNnZTpsPDxqO2s3dnd2ISUicHN+L3t4K3svJ0IhQBUcQEJDHBscEx4UFk4BAQtQA1QDVFoLDwgIDwtdIndChttps://api.share.acrobat.com/webservices/api/v1/https://api.share.acrobat.comhttps://tob.acrobat.com/TOB/AdobeAuth
    • https://WebServiceJob/?auth/account/wsapi/auth/v1dc/POSTPUT.docidapi://https://PrefSyncJobhttps://BlockUploadJob
    • https://PrefSyncJob/
    • http://OperationGroupInvalidfile_md5_digestfilename_in_db[id]md5_matchedresource_executed
    • https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFListhttps://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Uploadparcelparcel_idparcelsinvitationshttps://send.acrobat.com/a/api/parcelsname=
    • https:///generate-signed-url[Version
    • http://ACRO_PROXYWWW-Authenticaterealm=
    • https://ims-na1-stg1.adobelogin.comhttps://ims-na1.adobelogin.com
    • https://comments.adobe.io/schemas/bulk_entity_v1.json
    • https://comments.adobe.io/schemas/entity_v1.json
    • https://comments.adobe.io/schemas/annots_metadata.jsonld
    • https://comments.adobe.io/schemas/user_comment_metadata_result_v1.json
    • https://www.w3.org/ns/anno.jsonldhttps://comments.acrobat.com/ns/anno.jsonldcontents#textpage#intAdobeAnnotSelectorrect#doubleStartStructElem#intAdobeDynamicViewSelectorEndStructElem#intStartOffset#intEndOffset#intLeftOffset#doubleTopOffset#doublestrokeColor#inttype#atomTextnotepoint0#double1#doubleCaretinsertReplacereplaceboundingboxinReplyTo#textreplyingcommentingInkHighlighthighlightUnderlineunderlineStrikeOutstrikeoutopacity#doublequadsshapewidth#doublegesturesintent#atomauthor#textuserEmailId#texteurekaURL#textaffiliation#textcreatorType#texteurekaAdobeId#textmodDate#textcreationDate#textOpenResolved#textlocalEtag#textcreationId#textxRequestId#texttype
    • https://trustlist.adobe.com/tl12.acrobatsecuritysettingshttp://trustlist.adobe.com/tl12.acrobatsecuritysettingshttps://trustlist.adobe.com/eutl12.acrobatsecuritysettingshttp://trustlist.adobe.com/eutl12.acrobatsecuritysettingsinvalid
    • https://dc-api.adobe.io/discoveryAVGeneralDCAPIStageapplication/vnd.adobe.dc+json;profile=
    • https://dc-api.adobe.io/schemas/discovery_v1.json
    • https://files.acrobat.com/apiBlueHeronMasterURLapplication/pdf.pdfapplication/vnd.openxmlformats-officedocument.wordprocessingml.document.docxapplication/vnd.openxmlformats-officedocument.spreadsheetml.sheet.xlsxapplication/vnd.openxmlformats-officedocument.presentationml.presentation.pptxapplication/msword.doc.rtfapplication/vnd.ms-excel.xlsapplication/vnd.ms-powerpoint.ppttext/html.htm.htmlimage/jpeg.jpg.jpegimage/png.pngimage/bmp.bmpimage/gif.gifapplication/zip.ziptext/plainapplication/x-indesign.inddapplication/illustrator.aiimage/vnd.adobe.photoshop.psdtext/vtt.vttapplication/octet-stream[Version
    • https://dc-api.adobe.io/schemas/folder_listing_v1.json
    • https://notify-stage.adobe.io/ans/
    • https://notify.adobe.io/ans/
    • https://notify-stage.adobe.io/anshttps://notify.adobe.io/ans[Version
    • http://ns.adobe.com/synchronizer/dependencyhttp://ns.adobe.com/synchronizer/ttlhttp://ns.adobe.com/Acrobat/RSS/Reviews/deadlinehttp://ns.adobe.com/Acrobat/RSS/Inbox/iconhttp://ns.adobe.com/Acrobat/RSS/Inbox/feedUIenclosurelinkitemauthordescriptionpubDateoutlinerssRDFfeedopmlhttp://purl.org/rss/1.0/itemhttp://purl.org/rss/1.0/titlehttp://purl.org/rss/1.0/descriptionhttp://purl.org/rss/1.0/modules/content/encodedhttp://www.w3.org/1999/xhtmlbodyhttp://purl.org/atom/ns#entryhttp://purl.org/atom/ns#contenthttp://purl.org/atom/ns#summaryhttp://purl.org/atom/ns#idhttp://purl.org/atom/ns#modifiedhttp://www.w3.org/2005/Atomentryhttp://www.w3.org/2005/Atomcontenthttp://www.w3.org/2005/Atomsummaryhttp://www.w3.org/2005/Atomidhttp://www.w3.org/2005/AtommodifledDAV:responseDAV:hrefDAV:getlastmodifiedDAV:getetagDAV:getcontenttypeDAV:getcontentlengthDAV:collectionsmbentrychildrenrelhrefxmlUrlTBDdirectorynodenodeidmodifieddateadobedocDAV:http://www.w3.org/1999/02/22-rdf-syntax-ns#http://purl.org/atom/ns#http://www.w3.org/2005/Atomversion2.0D:EncryptionErrorError
    • https://xp.apple.com/report/2/psr_ota/varPermanent
    • https://xp.apple.com/reportno

Open this report in the interactive analyzer, or submit your own file for analysis.