MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a8b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A8B | 21057 bytes |
SHA-256: 21f223f6f4c37c123a4f3d2cc1154277c744349a4168d7faaf6bc46e6441caa3 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001289c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1289C | 21057 bytes |
SHA-256: 5f2ef2c4f2937a300ad2587b90d64138b47cf07419f5af53a32ecc6fbd2d8469 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off000226af.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x226AF | 21057 bytes |
SHA-256: ba910171f779c3bb492f562fe1d337c948bbcb298bef129a577be51927119067 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000324c2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x324C2 | 21057 bytes |
SHA-256: 1a9f2650f8a1074dc0d9b17c7478f6acc32730366f459b2229d25577cf9080ef |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000422d5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x422D5 | 21057 bytes |
SHA-256: 7a024f4497f42f55811bea21c721ca9bc046a3fceb06e35057b93a56db93fb85 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000520e8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x520E8 | 21057 bytes |
SHA-256: 5f5aebe178b044adf68c46f24cf9179bb3233ee38b2ba5bd70134d50c9aa2ee8 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00061efb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x61EFB | 21057 bytes |
SHA-256: 1dbbd1ae800f34d5aa11d50a50ed6962281e51b0d3727babd264d37d491e588d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off00071d0e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x71D0E | 21057 bytes |
SHA-256: e1dc6807abd5edf175d373efb2e11cf799770618b9ee68c6ef3c9c8da2a0c120 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00081b21.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x81B21 | 21057 bytes |
SHA-256: fa5ab752f6b755aea2a35f64b0dbb115f97129baf212cd596594f03e02a4a046 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off00091934.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x91934 | 21057 bytes |
SHA-256: fc0d98138e769302f5ce79b654ff028a5d16c53f699da6ca9ea1c5c03816d04f |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.