RTF malware analysis — malicious · b7b3a3a927454124

MALICIOUS

RTF

30.8 KB Created: 2021-05-05 15:20:00 First seen: 2021-07-10

MD5: e5de375187c762c83417d3d13f8c4695 SHA-1: 0774891f8cde3bf97a5ad4c31891ddd09cfec49f SHA-256: b7b3a3a9274541246e8a3f330b8a2e594fadf5281652c4490b68f4e5f77e8858

62 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains a critical heuristic indicating remote template injection, targeting the URL http://domhub.live/arm/template.php. This suggests the document is designed to exploit a vulnerability to download and execute a secondary payload from this external resource. The presence of this malicious indicator strongly points towards an attack vector commonly used for malware delivery.

Heuristics 2

Remote template injection (\*\template → remote URL) critical CVE related RTF_REMOTE_TEMPLATE

The RTF's \*\template destination is a remote URL/UNC path. When Word opens the document it fetches and loads that template, which can carry macros or an exploit, deliver a scriptlet/HTA, or leak NTLM credentials over UNC. Benign documents attach only a local template, so a remote \*\template target is template-injection delivery (MITRE T1221). remote \*\template target (Word fetches it on open); destination obfuscated with \uN/\'xx escapes; dynamic-DNS / abuse-prone host; target is active/script content, not a .dot template.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://domhub.live/arm/template.php In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.