MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a83.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A83 | 21057 bytes |
SHA-256: 9ac76590ac2f02b639b9c608dc20b04fccc2988d0c878183986d13e63f54aae6 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00012890.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12890 | 21057 bytes |
SHA-256: 34580d2f43443a00cbdf91191d9e465fc3650391e88e111609a51fb602dc24fa |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002269f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2269F | 21057 bytes |
SHA-256: d0cf4de9799be5109a9ebb868fd0ec9d6cf16e1ef6cb0c52a91da577af6f13b0 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000324ae.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x324AE | 21057 bytes |
SHA-256: de8660fc7989dcc997a79b2e8faa1d1b2077472959d331e18616c9243cd5064d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000422bd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x422BD | 21057 bytes |
SHA-256: b2678a12c6c6770efcc30cab5a755d83741a788fd2664241f46d6ef8e56ea6b7 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000520cc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x520CC | 21057 bytes |
SHA-256: dace8a0ae05b4b3fbd553b300696a28d88c2beee6a89d45ad95c63483ab6ad19 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00061edb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x61EDB | 21057 bytes |
SHA-256: 09408842e27a1809a7c7b784b6abd4ce8a9d43b7d325d7f72b9c7f4cb9eed677 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off00071cea.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x71CEA | 21057 bytes |
SHA-256: 0a0c3609512ea2a9ab72a1e478d337ef848faf66144839f4f2485bbba6bfbdb4 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00081af9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x81AF9 | 21057 bytes |
SHA-256: 1dd9d6c4fc3fad19c4d079746ae6a95e9609ae5cddcf36e1815105e3853fa341 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off00091908.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x91908 | 21057 bytes |
SHA-256: ba4724ac80a8eba7f069934f4a6fe1215544a6a4bd4f97a28f18f404c8221135 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.