MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple embedded OLE objects, with one being forcefully updated via \objupdate. ClamAV detections, specifically 'Xls.Malware.Valyria-10036093-0', strongly indicate malicious content within these embedded objects. The presence of OLE objects and the forced update suggest an attempt to execute malicious code upon opening the document.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 8 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c11.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C11 | 33339 bytes |
SHA-256: 74062d45cae4ea5c1967236d60d6985eca4dbf869d78cacd9e4c2fd026669641 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00018b2d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18B2D | 33339 bytes |
SHA-256: fa5a80e783b7af57eac3371f0b4b02b0346832f17036ae9be17c2997ea7fd5f4 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002ea49.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2EA49 | 33339 bytes |
SHA-256: 5f6e4d774db876726c04d546e5a354cebafff84afc1e40081388a48d03bf810d |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00044965.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x44965 | 33339 bytes |
SHA-256: 08980089f487b0c53ac3959bb0f59fb11a850f637190eed170517b778ae78035 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0005a881.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5A881 | 33339 bytes |
SHA-256: a814bd17e4821274eec062bd2396596fc1a6d759dac82ebe4503c02d97637cf5 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000707e9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x707E9 | 33339 bytes |
SHA-256: 0f77744282941a3e3b200d348f0005c9cf06415f6994bc30198e824859d26019 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00086705.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x86705 | 33339 bytes |
SHA-256: 261a7e977c81a7d51005128a113a958aed9cb2f7c692a6eaa2ee8fc41bb6b62c |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0009c621.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9C621 | 9935 bytes |
SHA-256: 26cab2bc58bd7c211963878e6c679a6482a7c9208b0b4797cf515b0e14b774be |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.