MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a8d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A8D | 20545 bytes |
SHA-256: d9336709e0b73c0f9d79ca7919ae04f5b6cd2f3d84b1cad57d534baa13dc8168 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00012496.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12496 | 20545 bytes |
SHA-256: ead52906b0926af067a7bf7ced51efedb285b19bd96769278ae7d0b0a81a45ed |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00021ea1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x21EA1 | 20545 bytes |
SHA-256: ed8232eb5f60b73ee52a5e7951cba2324f94a005aaaefa29eb663ce429da459e |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000318ac.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x318AC | 20545 bytes |
SHA-256: 294bc67daa93b9360f1221aaf0fdcb1cd5b6b2d31b308e1ce636420af2396f1d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000412b7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x412B7 | 20545 bytes |
SHA-256: 7501bf78c339cf698aafab311a6f0ad8144bf02b907a5a4950b99e3dcf47a23f |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00050cc2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x50CC2 | 20545 bytes |
SHA-256: 10eb6a4f323abc731740a8730f7add8beafe063616ba59d2c7f1c1679f683b94 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000606cd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x606CD | 20545 bytes |
SHA-256: 72daa02607e3878334fe333bb8c7862110cd43b555a1b4f9afbaeca68871d8d8 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000700d8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x700D8 | 20545 bytes |
SHA-256: 6088fa142e8ddaab6ee0b6d35ae3da5afc18a77e0fc0c823718b527894087b74 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0007fae3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7FAE3 | 20545 bytes |
SHA-256: c6c31d15ffca4c853c9528cc6fb6137e06463d5bd153523a3ab627047b8cd3f7 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0008f4ee.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F4EE | 20545 bytes |
SHA-256: f9f7a704ecff51878957d52380894cf62e6decac13611fcb16b575eb12f85348 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.