RTF malware analysis — malicious · ecdbdc0876a5cd23

MALICIOUS

RTF

170.8 KB First seen: 2015-09-20

MD5: 40324ecb546011f680364b20fb48a550 SHA-1: c183c4d15d349a896c80b9cdb974870dd83b6791 SHA-256: ecdbdc0876a5cd236ec5869d3c6d7130943e10998d70531e2711c6ffdba9123d

102 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The RTF file contains embedded URLs and triggers heuristics related to memory allocation and library loading (VirtualAlloc, LoadLibrary, GetProcAddress), indicating an attempt to execute code. While no explicit script was carved, the RTF structure and heuristic firings suggest a vulnerability exploit. The embedded URLs are benign, so the payload delivery mechanism is not directly observable from this evidence.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In RTF body
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn RTF body
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.