MALICIOUS
82
Risk Score
Heuristics 4
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 5 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002cf8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2CF8 | 17467 bytes |
SHA-256: 513694840da3b8b6cc497e2c9a894cb1bb0ee24a5be1cbc41b1937130b66df48 |
|||
objdata_01_off00010eef.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x10EEF | 17467 bytes |
SHA-256: 29c7c919c82fa43f10cd291bc174397a8f8b8c89e54b4bab9684c7746609fb53 |
|||
objdata_02_off0001f0e6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1F0E6 | 17467 bytes |
SHA-256: 9c7029e5d4aa3e2bf5eb923b91cada3c394e3d5c7cba6cec5ba22880450406f2 |
|||
objdata_03_off0002d2dd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2D2DD | 17467 bytes |
SHA-256: 2adb209a4906fc8d8e187e68d29a74e490608a41d53673c948e88f79e7bdbbc4 |
|||
objdata_04_off0003b4d4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3B4D4 | 17467 bytes |
SHA-256: a42ba869c9d0c5452f3222c3264f1eb20ddd07785d1f878c800561bbaf3e78a4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.