Malicious RTF / .BAT — malware analysis report

Static analysis result for SHA-256 d0513cc483330131…

MALICIOUS

RTF / .BAT

1.1 KB Authoring application: Msftedit 5.41.15.1515
MD5: 09e34e71c836451d8438b0657f2e34c9 SHA-1: 7003c155f320652996b35dd3a86a69343eac9d0d SHA-256: d0513cc4833301315360638ea73532ea2fd097586ffbd1560b29d09a9388dde9
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1218 System Binary Proxy Execution

The sample is a batch script disguised as an RTF document. It contains explicit instructions to use `rundll32` to manipulate system settings, likely as a distraction or to confuse the user. The script then attempts to open a URL using `start http://www.bzykanie.com.pl`, which is a common technique for delivering malicious payloads. The creation of numerous empty files with suggestive names in the user's desktop and recent folders further indicates a malicious intent, possibly to clutter the system or mask other activities.

Heuristics 3

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bzykanie.com.pl\par
    • http://www.bzykanie.com.pl

Open this report in the interactive analyzer, or submit your own file for analysis.