MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and uses \objupdate to force their activation. Critical heuristics indicate exploitation of CVE-2017-8759, a known vulnerability in MSXML that allows for OLE object activation. This suggests the file is designed to execute arbitrary code by leveraging this vulnerability, likely to download and run a secondary malicious payload. The ClamAV detection name further supports the malicious classification.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Xls.Malware.Valyria-6934880-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6934880-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002ac8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2AC8 | 24635 bytes |
SHA-256: 345dc2e6a09548be2d9d466e6995e144fb7c4296af1536065facdc48dd73b7d6 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off000144fd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x144FD | 24635 bytes |
SHA-256: 4e645d2c4678b64810791fa5f65e1463691bec4677f5bceda0711938759566b5 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00025f34.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x25F34 | 24635 bytes |
SHA-256: de62a0f1a0a126574f11f2ade5727c436d8e7dbd8a39b1a97a3bc5ab34c03153 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003796b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3796B | 24635 bytes |
SHA-256: 553a7440143d6c60676cbd249e4aeeed850cec7bf4b4b1438f21ca25e68302fd |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000493a2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x493A2 | 24635 bytes |
SHA-256: 398f178b9c4e89866ece392b7079274c81782deb206aee5bab7fad8857379f85 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0005add9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5ADD9 | 24635 bytes |
SHA-256: 7ef92e062fc81a770f6968e43a07146550bebdbe95765b228b4b7fd147dedbcc |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0006c810.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6C810 | 24635 bytes |
SHA-256: a052c0fbe40d18bc3a4754745d9cb18031450f12ba11ddefe2e71428812b8563 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0007e247.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7E247 | 24635 bytes |
SHA-256: f1ce63eb5d3f8843feeff161672ba3f91df565581cf155e8bcf15f4fce4b3354 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0008fc7e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8FC7E | 24635 bytes |
SHA-256: adebabea66b088a8c1bcdf176285f9c1a41d82a3f3aa24809c6571d71c17acd3 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000a16b5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA16B5 | 24635 bytes |
SHA-256: f0dc1686127578de96f065a2ce9bc483639d2eaab92b0943bd49d468ac1f67b7 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.