Malicious RTF — malware analysis report

Static analysis result for SHA-256 c0e185691939cbdd…

MALICIOUS

RTF

19.6 KB First seen: 2015-09-16
MD5: 1d1c35486cde95b02be9db298cd4e440 SHA-1: 7634b1d1f6b16c97cb1345e0fc2772f771ffe87f SHA-256: c0e185691939cbdda43143494a66883d25ef87433163653298c6fc3f59dd3e51
260 Risk Score

Malware Insights

MITRE ATT&CK
T1055 Process Injection T1055.012 Process Hollowing

The RTF file contains numerous heuristic firings indicating process injection techniques, including CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread. These indicate the file's likely intent is to inject malicious code into a running process. No document body or script content was available for further analysis.

Heuristics 6

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API