MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a8d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A8D | 20545 bytes |
SHA-256: c0887b7fec10b6bbd0b2eebed7dcf1ea4af6122b5559e4085f566e09df6a9acc |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00012496.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12496 | 20545 bytes |
SHA-256: 284aa6d30b691946fd0ccb737327496e5d6cb241d99b12c8710598990e32112c |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00021ea1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x21EA1 | 20545 bytes |
SHA-256: e779f2a374685d444c9cb83b11aa1fa48b742856eee4da515048dc1980931af0 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000318ac.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x318AC | 20545 bytes |
SHA-256: 45124deaad80b9d9568468f172f1e8e44f4ab64751c1863f22e395ddb2dd6630 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000412b7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x412B7 | 20545 bytes |
SHA-256: 6ee7569003263b955a3f1e4b1ae0f5db407053dc55ccfdcd65953b2bafc87926 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00050cc2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x50CC2 | 20545 bytes |
SHA-256: b1221c280fb81c6dfe370c34a7bd76bfb122d87acdcfa01d97af3265fafa4369 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000606cd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x606CD | 20545 bytes |
SHA-256: b8614d7d022a15ad3f88f001c013f89b7ad66b63168de5a7e98fbee2c980e632 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000700d8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x700D8 | 20545 bytes |
SHA-256: a96a953dd6156944e8e250fb08f4833558035d6e116ff4c24d199e9d5e3c10c3 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0007fae3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7FAE3 | 20545 bytes |
SHA-256: c5a5a545937d89744d698399fff72fe904babff49cdc4bd2d3134b74a003e75d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0008f4ee.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F4EE | 20545 bytes |
SHA-256: f23eb083c954942fa2131e350b1a27c0daa7504a013c105ca3fc0060275384bb |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.