RTF malware analysis — malicious · de704e56834e7aea

MALICIOUS

RTF

65.2 KB First seen: 2026-05-10

MD5: 1f6b65b04d35b14fe2e89dcfa4a53642 SHA-1: 794b5aa68dfbf0815d2704c69ba74ddac262f63a SHA-256: de704e56834e7aea33af8468c186919dcd567a2fe78ba140cf78f1eeaac6d6b3

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The RTF file contains embedded PHP source code for an IRC bot. The script is designed to connect to IRC servers, join specified channels, and respond to commands. It appears to be a tool for remote control and potentially coordinating malicious activities over IRC. The embedded source code is the primary indicator of this functionality.

Heuristics 2

PHP webshell / backdoor source critical WEBSHELL_PHP

The file contains PHP server-side code with the signature of a webshell/backdoor (request input fed to a command/code-exec sink with a decoder/second sink (RCE backdoor)). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
PHP IRC bot source embedded in RTF high RTF_PHP_IRC_BOT_SOURCE

RTF document contains PHP source code with IRC socket connection logic, IRC protocol commands, and bot-control indicators. The RTF is acting as a wrapper for bot source rather than an exploit that executes when opened.

Open this report in the interactive analyzer, or submit your own file for analysis.