RTF malware analysis — malicious · f50c2b1235f53475

MALICIOUS

RTF

114.9 KB First seen: 2015-09-30

MD5: 94cf14672b50261fe75818ccb7cd53a0 SHA-1: d1511729849523a865364514b40461a2e35e5527 SHA-256: f50c2b1235f53475fba6c6076a31edca3b52eb20954bbf118b689a9aff7e6c45

300 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1055 Process Injection

The RTF file contains heuristics indicating the use of Windows API functions such as CreateProcess, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, LoadLibrary, and GetProcAddress, strongly suggesting the execution of shellcode. The presence of these APIs points towards a process injection or exploitation attempt. The document body, though truncated, contains strings related to HTTP and potential URLs, indicating a download or C2 communication attempt.

Heuristics 7

Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD

Reference to CreateRemoteThread API

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes

Disassembly

Attempted x86 opcode disassembly

0000698F  90                nop
00006990  90                nop
00006991  90                nop
00006992  90                nop
00006993  90                nop
00006994  90                nop
00006995  90                nop
00006996  90                nop
00006997  90                nop
00006998  90                nop
00006999  90                nop
0000699A  90                nop
0000699B  90                nop
0000699C  90                nop
0000699D  90                nop
0000699E  90                nop
0000699F  90                nop
000069A0  90                nop
000069A1  90                nop
000069A2  90                nop
000069A3  90                nop
000069A4  8d4646            lea eax, [esi + 0x46]
000069A7  333f              xor edi, dword ptr [edi]
000069A9  3f                aas
000069AA  3f                aas
000069AB  895104            mov dword ptr [ecx + 4], edx
000069AE  895108            mov dword ptr [ecx + 8], edx
000069B1  89510c            mov dword ptr [ecx + 0xc], edx
000069B4  895110            mov dword ptr [ecx + 0x10], edx
000069B7  663f              aas
000069B9  2031              and byte ptr [ecx], dh
000069BB  20663f            and byte ptr [esi + 0x3f], ah
000069BE  48                dec eax
000069BF  0120              add dword ptr [eax], esp
000069C1  3f                aas
000069C2  4a                dec edx
000069C3  40                inc eax
000069C4  1f                pop ds
000069C5  2020              and byte ptr [eax], ah
000069C7  3f                aas
000069C8  4e                dec esi
000069C9  59                pop ecx
000069CA  06                push es
000069CB  2020              and byte ptr [eax], ah
000069CD  663f              aas
000069CF  52                push edx
000069D0  41                inc ecx
000069D1  206689            and byte ptr [esi - 0x77], ah
000069D4  56                push esi
000069D5  54                push esp
000069D6  663f              aas
000069D8  56                push esi
000069D9  0220              add ah, byte ptr [eax]
000069DB  663f              aas
000069DD  58                pop eax
000069DE  40                inc eax
000069DF  018bc65e5bc3      add dword ptr [ebx - 0x3ca4a13a], ecx
000069E5  90                nop
000069E6  90                nop
000069E7  90                nop
000069E8  90                nop
000069E9  90                nop
000069EA  90                nop
000069EB  90                nop
000069EC  90                nop
000069ED  90                nop
000069EE  56                push esi

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.