MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a86.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A86 | 21057 bytes |
SHA-256: 1520ec5c950abbf109e80be6678e075dffcd629ea62b5fe9c39192933302f73a |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00012895.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12895 | 21057 bytes |
SHA-256: 04f76a84a9081aaba9b65e52c361fdf9f169ad286871a2d48edae25925eac5cf |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off000226a6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x226A6 | 21057 bytes |
SHA-256: 5a65fe8b164f35cbe673632eea161b66faff5ae5707d51e8851355d7d99eef8b |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000324b7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x324B7 | 21057 bytes |
SHA-256: 36fb3deb28aed7d3dfaf2cda28a797a7186ea01b097dc7a2975987cc976f47e3 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000422c8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x422C8 | 21057 bytes |
SHA-256: f37d0384451196a2c5a062221bce2c641b230cbcfce04b192c5f7543d54beb84 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000520d9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x520D9 | 21057 bytes |
SHA-256: dcf458f8afebe6bb957defd98298d992bc11e9c037ad3ca632b4ed040d186d93 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00061eea.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x61EEA | 21057 bytes |
SHA-256: a49c6105b75c4e33d119fa52859e501e6dc55a839d1068e80965b8c35a480dc3 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off00071cfb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x71CFB | 21057 bytes |
SHA-256: 0f209997def070415a497b0545720721a04a19d8174287566cecc0bbf7a939ac |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00081b0c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x81B0C | 21057 bytes |
SHA-256: b9c6e7151cb18b83edbdae88ddd1a1c8642f59597ce815452d8b584fd1db2595 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0009191d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9191D | 21057 bytes |
SHA-256: 3d062467c00a304746f207883f83bd4741b183727bc212cbf6fef3b01851e112 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.