MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a8b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A8B | 20545 bytes |
SHA-256: 7fc90a8b7558372e82cd3b956e2efde2edae2e78f655c8c3f728a729544a4466 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00012492.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12492 | 20545 bytes |
SHA-256: 05e444397d9a6ca2e0d90b9b2d0a7f580316cee37a0498d493a8665975b6f8fa |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00021e9b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x21E9B | 20545 bytes |
SHA-256: 5459e5d41f0c085ef1d98ef1535daeb97b255e6d6f86b0db46e4b4dcb2da2932 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000318a4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x318A4 | 20545 bytes |
SHA-256: 23982db1c559df91ad1d7875b775d997a32add7303528d5df2b99f24e0715c3d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000412ad.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x412AD | 20545 bytes |
SHA-256: 72e0e83b1d18fac506214eb05062d3e53388629b2e6006133ce04a1f7913f8dd |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00050cb6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x50CB6 | 20545 bytes |
SHA-256: 7e7c9ab2ac0990ab3c3dc2a37d6a2b026414ac66d840287a2e2c7dbf04d0cab5 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000606bf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x606BF | 20545 bytes |
SHA-256: f7ecb18de9481e741bca4aa15ba604d91e618ab2c1cc1c598b08fec2af708ad0 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000700c8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x700C8 | 20545 bytes |
SHA-256: f7f34e1434b65e861fcaf38186db7f4287e4f488ac1d3e91babb50363c6ba491 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0007fad1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7FAD1 | 20545 bytes |
SHA-256: 63083b16019af78b09e417294a4eca2e9d646f91598e5583f55a8a7ba815e2f0 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0008f4da.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F4DA | 20545 bytes |
SHA-256: 2b326ec9229a830a1d93e114b5b7c4919929d2e226a3d9618a97a67a66163d3f |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.