MALICIOUS
242
Risk Score
Heuristics 6
-
ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1002KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 14 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 14
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c44.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C44 | 28731 bytes |
SHA-256: 94b3a6277d305a354405ce06f0908ca8cd7f4bf557da8df806b28c51a35355c7 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00016c85.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16C85 | 28731 bytes |
SHA-256: 71504b892d7347f8db987ad3d8fa13ef8e3d1e4fc198cfb0200ca0cbb4f6051c |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002acc6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2ACC6 | 28731 bytes |
SHA-256: dc6be9596e292ad1fddc3fb320c86031cfa4ad49643e465fb9cb0caa125869e7 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003ed07.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3ED07 | 28731 bytes |
SHA-256: ff9b4f76a18c06faafb7dfa99f7a084cddfe79b39001aac6de7043b079b30937 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00052d48.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x52D48 | 28731 bytes |
SHA-256: 631981dc002e262844d28259def0aeabb53b4634af1dc74aa52a2519d5ac1536 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00066d89.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x66D89 | 28731 bytes |
SHA-256: dfde6dcd7fc004df5f0780fcc5a30188f1518bc9ccd0e9cdb452e92ee2a3e5c9 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0007adca.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7ADCA | 28731 bytes |
SHA-256: 0522eef38ca61d56e06aa4e8dd43d562553163c70d606e7eb7a6ee8423aae1e8 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0008ee55.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8EE55 | 28731 bytes |
SHA-256: 1e89305c89c180dcf5a8a3efe5a0803b7e9ab8bcccd1bae56932c2c091da70fe |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000a2e96.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA2E96 | 28731 bytes |
SHA-256: 700c75fb5f0c091460e89e95d334ddbc12b0d65332b43da594528c8511253291 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b6ed7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB6ED7 | 28731 bytes |
SHA-256: c998fce755446f1d4eafa22d826ce26f484c789ff552059f06323921cf5723a5 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000caf18.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xCAF18 | 28731 bytes |
SHA-256: 19f654db99d1ffca9ba8e788acc92d14266eed3a0c81784003e4e52bcd6142cb |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_11_off000def59.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xDEF59 | 28731 bytes |
SHA-256: 182680da10d010c0f11194a3272c15eb320d67d475489fa31283ea06f552b657 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_12_off000f2f9a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF2F9A | 28731 bytes |
SHA-256: 33506e6d2682db5f5e3fed1ccc47f5e898509af933a68fe65a5cec1a95d749f0 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_13_off00106fdb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x106FDB | 28731 bytes |
SHA-256: 16f3673a8839d7b13585b962443776513577ff69237f038aca72e75bbf4601e8 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.