MALICIOUS
242
Risk Score
Heuristics 6
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1643KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000035fa.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x35FA | 22593 bytes |
SHA-256: dc606e1534d9061ee37468a3e787304eccabf0829de64fe289f1b22a2dbeb88c |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00014045.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x14045 | 22593 bytes |
SHA-256: 9906d337898215967e8a2e55cd2a1ad619bc2b945270efe70b9018ce12dd67a0 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00024a90.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x24A90 | 22593 bytes |
SHA-256: fb324832525065dabba2083b8447706cf9f355cb802ebc5142342a2ff666a372 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000354db.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x354DB | 22593 bytes |
SHA-256: 2350fc803639cd9597775a3d8744e65687481964b213b818d964aa1f2fc954a1 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00045f26.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x45F26 | 22593 bytes |
SHA-256: b8702189993b0ff8a0e221281b606ff4a76f045202683bc368467a6e100fdf9d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00056971.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x56971 | 22593 bytes |
SHA-256: 95e1c3de652b55607b55e9cbf0a7f9900e5f2f1f298bc10f81e18e8a36ff5875 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000673bc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x673BC | 22593 bytes |
SHA-256: 1d3753b39909ba31cfce1f21f2a71c0f9a5b7e7028e3c5e87ff436e9f9445388 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off00077e07.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77E07 | 22593 bytes |
SHA-256: d9d32fdb883656fb3929849b8af001039ac8c0f56fb5f72ed13bb7c5e93f325d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00088852.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x88852 | 22593 bytes |
SHA-256: 2c0bc9653b8d1d4cb198139622c8ac2ab97d8ae2f105eb42d44bb2fa1d70a4c1 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0009929d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9929D | 22593 bytes |
SHA-256: 83f64cb22887ed7c77603f74353f622eb7538876763f819c9bdba6b1bca4fd0e |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.