MALICIOUS
122
Risk Score
Heuristics 5
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1037KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 18 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 18
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c45.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C45 | 27195 bytes |
SHA-256: 04e330c31d48c4944ace6617796aba038d08acace29c33fd3af3504a75bd4daa |
|||
objdata_01_off00016074.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16074 | 27195 bytes |
SHA-256: 55b1d4d3a9b8ee04999dc219e7c230c5a6f86713f1845f84ea08739ec17f44fe |
|||
objdata_02_off000294a3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x294A3 | 27195 bytes |
SHA-256: 295682430c1fe5fecb6670f193440b968e3bac08b8df3ebfe93e1e6a27e8c2e2 |
|||
objdata_03_off0003c8d2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C8D2 | 27195 bytes |
SHA-256: 91c5dfa858b324cfe8dbfd9aaf3f5f5727575621f224a00d2cb51c9f7d96e472 |
|||
objdata_04_off0004fd01.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4FD01 | 27195 bytes |
SHA-256: 64d305de1d1caecb862f3dc965d6860d93b2d19ff950de39c7314fa01a653ac1 |
|||
objdata_05_off00063130.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x63130 | 27195 bytes |
SHA-256: 20a25bfe9fb7a2a0e941dfa8d119d276a638cc4e4420003e097097962641a303 |
|||
objdata_06_off0007655f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7655F | 27195 bytes |
SHA-256: 33f503276a2744206bde0990f1a9aee4a82405a05ca103b8f8223230a43d8b10 |
|||
objdata_07_off0008998e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8998E | 27195 bytes |
SHA-256: 7c93907c5f77150ceb4a8e6da790d8b77cd06a7956d4f74a80cdfba7c9ba17c4 |
|||
objdata_08_off0009cdbd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9CDBD | 27195 bytes |
SHA-256: c7213f3fa3e82cc7c784b5deda3913846bc8ae81a8cfeef4e189dba5b898b29e |
|||
objdata_09_off000b0238.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB0238 | 27195 bytes |
SHA-256: 134882316bd74f769569a9c78133f733b637df258b8308896711232708e64cec |
|||
objdata_10_off000c3667.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC3667 | 27195 bytes |
SHA-256: d63d5feed040836e26bc570bd161b078286187dece7528121a83b1629b6c52c8 |
|||
objdata_11_off000d6a96.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD6A96 | 27195 bytes |
SHA-256: cc11693dae715d642731525d82b2c3062a1168f145681da76c164704bc6289b0 |
|||
objdata_12_off000e9ec5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE9EC5 | 27195 bytes |
SHA-256: 6dbc61699413682f0334201be10318609933f23a91fb34277e5682caf940cfc0 |
|||
objdata_13_off000fd2f4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xFD2F4 | 27195 bytes |
SHA-256: 1f58a4e8d860d81411c76a51c05f323e9ac59d94992f51a7120f18bcd7e01886 |
|||
objdata_14_off00110723.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x110723 | 27195 bytes |
SHA-256: f4acfc26be77ee23ce345d741983843b17399f1071834818eaddffad64f8ac95 |
|||
objdata_15_off00123b52.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x123B52 | 27195 bytes |
SHA-256: bf6702d88bef482006473b98b4634f83f91e00c0931ec665dde7958f42c1b998 |
|||
objdata_16_off00136f81.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x136F81 | 27195 bytes |
SHA-256: 5547745b1d26403dc74f2d87bef5ae75f16a775b31dbbee46a876aa38f8638ae |
|||
objdata_17_off0014a3b0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x14A3B0 | 27195 bytes |
SHA-256: 19a6c2ed21fbb228fb4bfaaae96cd8d717684d662108b262b54fcca2c955dfca |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.