MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a86.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A86 | 21057 bytes |
SHA-256: 55f933fdb9a6dc56be36ab09f93ea4b028c5d79b9c4f9e35f32625b2d6fe8d29 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00012895.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12895 | 21057 bytes |
SHA-256: 0347ce7bfed0532b9b8937c2b059b46e2fab5e8ab8e7f4c5243477c46d2499e3 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off000226a6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x226A6 | 21057 bytes |
SHA-256: 17409411fc66fa168401be879f984fa130c1cb80a8b81e865a15b9b8fbff0cc3 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000324b7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x324B7 | 21057 bytes |
SHA-256: 1ad0a84e373deff8ef737b3a020e1e773f7cccbcd145c261a62c3b725f2768ab |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000422c8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x422C8 | 21057 bytes |
SHA-256: bbf792f55999c0973e658deaa8bcd453d5bc740de35b6e0b9da47b12418cd8d0 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000520d9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x520D9 | 21057 bytes |
SHA-256: fa6a47485491f5a7b34782cd0c5895c6809805a8e035102b01ca4af5e835c53c |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00061eea.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x61EEA | 21057 bytes |
SHA-256: 16055361a2c2348bf52789507b46a210962393fd4cde112658b9be584e83e15f |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off00071cfb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x71CFB | 21057 bytes |
SHA-256: fed5abdf9f08993e9c0f75ba34768d133c646594a4c67e20136e94089b9ecc3b |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00081b0c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x81B0C | 21057 bytes |
SHA-256: aa075b5812dc7682f5d39abf31c3861d2c8ea35f61b7998c6759836841ec5a83 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0009191d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9191D | 21057 bytes |
SHA-256: 5ddda2db6f3e354aef64a502f0544bbcfaf8428b13df4782b1878b14f46d01da |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.