MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1055 Process Injection
The RTF file contains heuristics indicating the use of Windows API functions such as CreateProcess, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, LoadLibrary, and GetProcAddress, strongly suggesting the execution of shellcode. The presence of these APIs points towards a process injection or exploitation attempt. The document body, though truncated, contains strings related to HTTP and potential URLs, indicating a download or C2 communication attempt.
Heuristics 7
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly0000698F 90 nop 00006990 90 nop 00006991 90 nop 00006992 90 nop 00006993 90 nop 00006994 90 nop 00006995 90 nop 00006996 90 nop 00006997 90 nop 00006998 90 nop 00006999 90 nop 0000699A 90 nop 0000699B 90 nop 0000699C 90 nop 0000699D 90 nop 0000699E 90 nop 0000699F 90 nop 000069A0 90 nop 000069A1 90 nop 000069A2 90 nop 000069A3 90 nop 000069A4 8d4646 lea eax, [esi + 0x46] 000069A7 333f xor edi, dword ptr [edi] 000069A9 3f aas 000069AA 3f aas 000069AB 895104 mov dword ptr [ecx + 4], edx 000069AE 895108 mov dword ptr [ecx + 8], edx 000069B1 89510c mov dword ptr [ecx + 0xc], edx 000069B4 895110 mov dword ptr [ecx + 0x10], edx 000069B7 663f aas 000069B9 2031 and byte ptr [ecx], dh 000069BB 20663f and byte ptr [esi + 0x3f], ah 000069BE 48 dec eax 000069BF 0120 add dword ptr [eax], esp 000069C1 3f aas 000069C2 4a dec edx 000069C3 40 inc eax 000069C4 1f pop ds 000069C5 2020 and byte ptr [eax], ah 000069C7 3f aas 000069C8 4e dec esi 000069C9 59 pop ecx 000069CA 06 push es 000069CB 2020 and byte ptr [eax], ah 000069CD 663f aas 000069CF 52 push edx 000069D0 41 inc ecx 000069D1 206689 and byte ptr [esi - 0x77], ah 000069D4 56 push esi 000069D5 54 push esp 000069D6 663f aas 000069D8 56 push esi 000069D9 0220 add ah, byte ptr [eax] 000069DB 663f aas 000069DD 58 pop eax 000069DE 40 inc eax 000069DF 018bc65e5bc3 add dword ptr [ebx - 0x3ca4a13a], ecx 000069E5 90 nop 000069E6 90 nop 000069E7 90 nop 000069E8 90 nop 000069E9 90 nop 000069EA 90 nop 000069EB 90 nop 000069EC 90 nop 000069ED 90 nop 000069EE 56 push esi
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.