MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a8a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A8A | 20545 bytes |
SHA-256: 4bacbf8e2de8e9596320809e850180749c2753a5a53c3808378f39c7069a5924 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00012491.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12491 | 20545 bytes |
SHA-256: d482bf9d91dfb9b23c16563d3b540b0eee3218b04449fec656622725c15358c2 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00021e9a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x21E9A | 20545 bytes |
SHA-256: bf75c21ee78ce1e1a058438a2385e3337601af479f806c66150cfacdccfc658c |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000318a3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x318A3 | 20545 bytes |
SHA-256: f7be4f1f6e0840b9fe511097a5ad42fa4f3fecbf8cc889d62168b0b70802afb0 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000412ac.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x412AC | 20545 bytes |
SHA-256: 00f7ff52a6a9f26611d1b55172bd8f8017134cb5ce80c4e0e3c908fb80fc36b9 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00050cb5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x50CB5 | 20545 bytes |
SHA-256: fb4167791b1fc126340029fab98ce03c3b8ea0273de67e2c4e0794e2182e740d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000606be.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x606BE | 20545 bytes |
SHA-256: e374a5e70264b5287f5254234d06d75b89864478bc3e7cd51bbd0c6db5de905d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000700c7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x700C7 | 20545 bytes |
SHA-256: df5487099d6b80ff0d849af6c43dd34e38946e1900725ec4e5a7e3f5c83a5883 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0007fad0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7FAD0 | 20545 bytes |
SHA-256: db7d6f594b453295ab578e053ce1f68da93d48b9f735c3df1009050d24fb5497 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0008f4d9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F4D9 | 20545 bytes |
SHA-256: ec7e45090579df1fd699a48a6a6a65a2939ef6e4ab64b73435611450b7aa19d4 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.