Xls.Malware.Valyria-10036093-0 — RTF malware analysis

Static analysis result for SHA-256 28769b64b749a3ae…

MALICIOUS

RTF

645.1 KB Created: 2018-05-07 First seen: 2021-02-23
MD5: e64ae7b975b197f4808d5e6176d3ec8e SHA-1: 03791ca0eff28620a60e56c0a5a355a64997c98a SHA-256: 28769b64b749a3ae0c95a3d9c962e208150a27d755f6109547486fe8fb01274b
202 Risk Score

Malware Insights

Xls.Malware.Valyria-10036093-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with one being forcefully updated via \objupdate. ClamAV detections, specifically 'Xls.Malware.Valyria-10036093-0', strongly indicate malicious content within these embedded objects. The presence of OLE objects and the forced update suggest an attempt to execute malicious code upon opening the document.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c11.bin rtf-objdata-decoded RTF \objdata at offset 0x2C11 33339 bytes
SHA-256: 74062d45cae4ea5c1967236d60d6985eca4dbf869d78cacd9e4c2fd026669641
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_01_off00018b2d.bin rtf-objdata-decoded RTF \objdata at offset 0x18B2D 33339 bytes
SHA-256: fa5a80e783b7af57eac3371f0b4b02b0346832f17036ae9be17c2997ea7fd5f4
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_02_off0002ea49.bin rtf-objdata-decoded RTF \objdata at offset 0x2EA49 33339 bytes
SHA-256: 5f6e4d774db876726c04d546e5a354cebafff84afc1e40081388a48d03bf810d
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_03_off00044965.bin rtf-objdata-decoded RTF \objdata at offset 0x44965 33339 bytes
SHA-256: 08980089f487b0c53ac3959bb0f59fb11a850f637190eed170517b778ae78035
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_04_off0005a881.bin rtf-objdata-decoded RTF \objdata at offset 0x5A881 33339 bytes
SHA-256: a814bd17e4821274eec062bd2396596fc1a6d759dac82ebe4503c02d97637cf5
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_05_off000707e9.bin rtf-objdata-decoded RTF \objdata at offset 0x707E9 33339 bytes
SHA-256: 0f77744282941a3e3b200d348f0005c9cf06415f6994bc30198e824859d26019
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_06_off00086705.bin rtf-objdata-decoded RTF \objdata at offset 0x86705 33339 bytes
SHA-256: 261a7e977c81a7d51005128a113a958aed9cb2f7c692a6eaa2ee8fc41bb6b62c
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely
objdata_07_off0009c621.bin rtf-objdata-decoded RTF \objdata at offset 0x9C621 9935 bytes
SHA-256: 26cab2bc58bd7c211963878e6c679a6482a7c9208b0b4797cf515b0e14b774be