Xls.Malware.Valyria-10036093-0 — RTF / .DOC malware analysis

Static analysis result for SHA-256 0c71bb401046b216…

MALICIOUS

RTF / .DOC

735.0 KB Created: 2021-03-31 09:58:00
MD5: 995d8da92fc74b6aee1521f527fee8b1 SHA-1: f56d89e8d74b4d29a2633de96cf6ec8e4123207e SHA-256: 0c71bb401046b21691ed7d96c1d6a050233a5783aa77ef95a359270db88d22a2
202 Risk Score

Malware Insights

Xls.Malware.Valyria-10036093-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, with the \objupdate heuristic indicating an attempt to force OLE activation. ClamAV detections confirm the presence of the Valyria malware family. This suggests the file is designed to exploit OLE vulnerabilities to deliver a malicious payload, likely via a spearphishing attachment.

Heuristics 6

  • ClamAV: Xls.Malware.Valyria-10036093-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036093-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00018a14.bin
b6499e76f4794ba2c79bc1d8701fa52b20298cb202049dcaf2925f9600708cc8		 rtf-objdata-decoded RTF \objdata at offset 0x18A14 28219 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_01_off0002bd65.bin
6f7b7f1f1d804d7b7a9a994dd2663c4e3b773257c2ecc85242e85418e73a9589		 rtf-objdata-decoded RTF \objdata at offset 0x2BD65 28219 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_02_off0003f0b6.bin
6b163e1fbbb1cba8a752ef70ef01bbc3340b924bab0c629b47c155c619192d1e		 rtf-objdata-decoded RTF \objdata at offset 0x3F0B6 28219 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_03_off0005250e.bin
f07243ea8b8688d6b9f1cd866ec2216e0dcdfc63934e90f7bed6d2a3ac0305db		 rtf-objdata-decoded RTF \objdata at offset 0x5250E 28219 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_04_off000659b4.bin
560c8a4fdd4fa96f02bbf6f49b4b53aaf32531c49e1dbaa4be595aed7242d3ea		 rtf-objdata-decoded RTF \objdata at offset 0x659B4 28219 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_05_off00078e0e.bin
d95a26474151cd2dff6278639b23a7d7429b8e9094573309addac6ae66b49453		 rtf-objdata-decoded RTF \objdata at offset 0x78E0E 28219 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_06_off0008c33b.bin
455c6e7b89d90929915699400809926de9cf9e83a228f1ac5a4688c106d616b5		 rtf-objdata-decoded RTF \objdata at offset 0x8C33B 28219 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.