MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002cb6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2CB6 | 26683 bytes |
SHA-256: c774409e95f5e7e149459a85c54f01cdcc768fcc5727bb3f252a380ec3e4c6cf |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00016164.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16164 | 26683 bytes |
SHA-256: d4150b97b13cd97361dd255276870b989c9a6f254b2aea3fed82e0a208c2d6c3 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00029612.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x29612 | 26683 bytes |
SHA-256: 1d7b2a4c8727a8fbbda08f0e19945ce35633c17b6467c27ebba3991fbfa21814 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003cac0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3CAC0 | 26683 bytes |
SHA-256: 40a529c50a034933c752b96b669b887bd328ae4a36baecbff36d5f2c4a2eacd6 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0004ff6e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4FF6E | 26683 bytes |
SHA-256: ae6bf803af0bd4c49578fd63279c5dd5525178f16dde18a00f7c8a2efe9cb1cf |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00063466.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x63466 | 26683 bytes |
SHA-256: d271a03e98010add5182401484c5d2e646df656867583960d7bd4c3a6e5226c0 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00076914.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x76914 | 26683 bytes |
SHA-256: 3e97a428934e28dcf29786a555faff26436b3e88e2f3aff4945abe6cc5885678 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off00089dc2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x89DC2 | 26683 bytes |
SHA-256: 9c0d82e23bd99794d6c3048ae43f2df3cd3a9a8b0ae93b0bc3fdfc391c0f3415 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0009d270.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9D270 | 26683 bytes |
SHA-256: d795ef76e6619e464f9b8cb46c92da8436e089250d89f37f10f865ec6581ed86 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b071e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB071E | 26683 bytes |
SHA-256: 80b09b21658053a43a93f30b0c9fdf68270616a41b3d569f9ac421c0e74d34fe |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.