Xls.Malware.Valyria-10036093-0 — RTF malware analysis

Static analysis result for SHA-256 05f28e2a04133f83…

MALICIOUS

RTF

467.8 KB Created: 2021-06-22 04:20:00 First seen: 2021-07-02
MD5: c508cf89613b1ae40884d2890e6cdee2 SHA-1: 61648253fb2aab3405047328a7d984191a201578 SHA-256: 05f28e2a04133f83587e65b62027365535fd02bd8d1da7b07c88a97e8fd3a202
202 Risk Score

Malware Insights

Xls.Malware.Valyria-10036093-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with one being forcefully updated via \objupdate. ClamAV detections, specifically 'Xls.Malware.Valyria-10036093-0', strongly indicate malicious content within these embedded objects. The presence of OLE objects and the forced update suggest an attempt to execute malicious code upon opening the document.

Heuristics 5

  • ClamAV: Xls.Malware.Valyria-10036093-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036093-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 6 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000291c.bin rtf-objdata-decoded RTF \objdata at offset 0x291C 26171 bytes
SHA-256: 2cac12b73d1dcb682de9d0ddd4815f32de388208b48603d692aa64d8a4bf46cd
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_01_off00014c4e.bin rtf-objdata-decoded RTF \objdata at offset 0x14C4E 26171 bytes
SHA-256: d0d7e4686755c299e0752c2d2e1dc2cd9f9a937fa7b95a05605c37c6dd62f272
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_02_off00026f7e.bin rtf-objdata-decoded RTF \objdata at offset 0x26F7E 26171 bytes
SHA-256: 6ea3efa9042765e8e60a64c7d1df1e686f7a5a905f5236e2565cf88d2d79001f
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_03_off000392ae.bin rtf-objdata-decoded RTF \objdata at offset 0x392AE 26171 bytes
SHA-256: 387b87a75d186d40dd3a7120837d410359b511fd1d32f1fd4b71245106d1bf3f
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_04_off0004b6e5.bin rtf-objdata-decoded RTF \objdata at offset 0x4B6E5 26171 bytes
SHA-256: 169e6f672b699ad9087a7edac382729a15b4ce27ca45521367682f9cbdf3a41a
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_05_off0005db1c.bin rtf-objdata-decoded RTF \objdata at offset 0x5DB1C 26171 bytes
SHA-256: 6619dd41f4f034e96eb799b6b3fe91eaea688349d8d06fbf9c5b9ad2b3cc906b
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.