MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 6 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c1e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C1E | 33339 bytes |
SHA-256: 0998169e7c7294473bcb9e862e61c550c26b7b00de24a4df2a3f2ac4116334ad |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00018b3a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18B3A | 33339 bytes |
SHA-256: 1f4d841fe26810c80b0a26bfeec56b7d93a57752dd52ac011ce5bffaea58cd3e |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002ea56.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2EA56 | 33339 bytes |
SHA-256: cdb558ce1dc320befcce94c057e40e31d4c4b2d71538652896127802e89e868c |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00044972.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x44972 | 33339 bytes |
SHA-256: aa4058fc948589765cb3262d8330473b5fc61c0cf0357252759549d056cf538a |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0005a88e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5A88E | 33339 bytes |
SHA-256: 42ed4130250f7ac306d3f9febb8f2889906cdf67f1eb25ffaede83762793d3ff |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000707f6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x707F6 | 13686 bytes |
SHA-256: b0db4a1b434aceff2475ef895a2077afd844159e620b57e8bbfca88a82b77f72 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.