It's probably a dummy value. I doubt there's a sinister scheme to plant "John Doe <test@me.com>" in a victim's address book. [1]

[1] https://github.com/hackedteam/rcs-common/blob/master/lib/rcs...

How do you figure that?

I was under the impression that they were planting files on the user's computer to incriminate them. I don't really understand where this code is getting it's payload from though.

It seems like that code just builds random-ish data that conforms to the wanted file format and then gives it incriminating names. For example:

[1] https://github.com/hackedteam/rcs-common/blob/38290d4eab2b2c...

[2] https://github.com/hackedteam/rcs-common/blob/38290d4eab2b2c...

That could plausibly be a tool for generating test data for forensics tools. The hardcoded paths don't make a lot of sense for actually trying to plant evidence.

I would guess that's part of a codebase for generating sales demos before LEOs.