MALICIOUS
242
Risk Score
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6944121-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6944121-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1037KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 16 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 16
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c41.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C41 | 27195 bytes |
SHA-256: 8dfc9afe58bf3455fab726463f3ed12c664c6892c4446be4f9cbca068b6f5e92 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001606a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1606A | 27195 bytes |
SHA-256: 918f3a1a0b8095accfcf9cc4b081576c45f587f3cd26fb567a326fefa5e3c60c |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00029493.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x29493 | 27195 bytes |
SHA-256: f43c76592ed307d4a5badcd128810dff0b8b5c59706fce44992c64e3e2e7fa59 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003c8bc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C8BC | 27195 bytes |
SHA-256: 98d56cf7c0244e90f62a1f81fc8813344f1f29082c095fd9b7ee7f7212daced1 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0004fce5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4FCE5 | 27195 bytes |
SHA-256: a46f30b36ce4128d9842ddb6a1f042e57ab394973343522fe9e7a5551396780c |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0006310e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6310E | 27195 bytes |
SHA-256: 44dfeb88edbc848b97f48438b719eb90ed18a4fd03dd35a31ea5d9268ac3f277 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00076537.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x76537 | 27195 bytes |
SHA-256: 4d1f07df04e8dd263f27a2d502c50d1ec6651d6917e77b9f027ea534f311b0db |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off00089960.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x89960 | 27195 bytes |
SHA-256: 79496a3a43071d074ce7c70cbefedec265dcc21913dd07c828d2e297beb013bd |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0009cdd3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9CDD3 | 27195 bytes |
SHA-256: 3984f1e5092593f835db96ef488af6968937731f4feaedf0c0c8f14de4ce519f |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b01fc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB01FC | 27195 bytes |
SHA-256: 7de2676ffebdc1006fa402c21bdb39144f42eb65b8c6dff7cfbea70a022b0b34 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000c3625.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC3625 | 27195 bytes |
SHA-256: f4fa72d38b51fab7ad25dfe1c3278f2570e9838643745b0858e2207690b3c128 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_11_off000d6a4e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD6A4E | 27195 bytes |
SHA-256: 10288755592871bc9a73cf48c99e79a86c0b22dcc07d4fd2d50ff8fb7756e783 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_12_off000e9e77.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE9E77 | 27195 bytes |
SHA-256: 1e7721a317507560d53402d9d5435b1f76a6d459b7aa8a0b314e8205bac6cd42 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_13_off000fd2a0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xFD2A0 | 27195 bytes |
SHA-256: 2d03aac00fdefa5474901b7648fc0d2680e3956dc8342d9ee907442799a61e3a |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_14_off001106c9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1106C9 | 27195 bytes |
SHA-256: 7b5affb4aa22b2fce629f110a00aab4cb93ea4961eaba9d55b9a928d5a6c38dd |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
objdata_15_off00123af2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x123AF2 | 27195 bytes |
SHA-256: 00839e5f62e9ad483155f34ec66ff96830d62d3d024fcbf315c69cd66622dc3f |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6944121-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.