MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a8a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A8A | 20545 bytes |
SHA-256: 62f218ae2d4d5056e784ac88ddb6457c539def4cdbf77198f8b8bc2315203320 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00012491.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12491 | 20545 bytes |
SHA-256: 2518ffc86f88223db71a10a23bcf96d10df547bff2b7ade792cf93b62a6e3089 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00021e9a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x21E9A | 20545 bytes |
SHA-256: 7d935c631ae4b2a23e93041832d2f327f90d3fb5a62ae56d7ea47b317475df6e |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000318a3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x318A3 | 20545 bytes |
SHA-256: 1bb966b78b7b3100c44e5c4b8ec4619b8f5ad94e6a8654bdea50bf693cab9bc4 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000412ac.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x412AC | 20545 bytes |
SHA-256: 1807af47c75ced5a3fee0de83868d45039b5791ad219fbb79441ae2ee63dc00e |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00050cb5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x50CB5 | 20545 bytes |
SHA-256: 0d40b37d66a60d58f2a3c2fe05f83e98413c4dc298de871544eef1c3fe54713b |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000606be.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x606BE | 20545 bytes |
SHA-256: 5dabbc707cd253f516bbab520be90613eb561b810ba1ae02dbfab9144800f378 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000700c7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x700C7 | 20545 bytes |
SHA-256: 88a6c857a6e018c08445a2a72b590a13d83821871a465a1df0eb3786625809e2 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0007fad0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7FAD0 | 20545 bytes |
SHA-256: bf2f858c64afad37914400d54b51d2d8e8696329e6badae6b63ed2772b416c57 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0008f4d9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F4D9 | 20545 bytes |
SHA-256: 5a5ac2526a9d5c5786789e5aab65427ea62cb336eb12455867e2b99bc6b066f1 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.