Xls.Malware.Valyria-10036093-0 — RTF / .DOC malware analysis

Static analysis result for SHA-256 44609be274ceb47b…

MALICIOUS

RTF / .DOC

754.9 KB Created: 2021-03-26 01:48:00
MD5: abebd0ed6fd6c71bf1593efc5eb3312f SHA-1: c42533786aeda835eb77ecdb7eb8aaa0bceb0b85 SHA-256: 44609be274ceb47badbb35cb9b9bd861a2ca4a0aec9c8348fbabac39816ed73f
200 Risk Score

Malware Insights

Xls.Malware.Valyria-10036093-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1137.003 DLL Side-Loading

The RTF document contains multiple OLE object data sections and uses \objupdate to force OLE activation, indicating an attempt to exploit embedded objects. ClamAV detections confirm this file is malicious, specifically identifying it as Xls.Malware.Valyria-10036093-0. The presence of OLE objects and the ClamAV signature strongly suggest a malicious payload is being delivered and executed.

Heuristics 5

  • ClamAV: Xls.Malware.Valyria-10036093-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036093-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0001981f.bin
336cc5e3eb99e38439bc40dd2f911d26068fe3b0de10d16a76b4dca907ec7752		 rtf-objdata-decoded RTF \objdata at offset 0x1981F 29243 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_01_off0002d392.bin
e08171bd0f79b7f6a88fdcc5cfd6db6439c032187a3c1bef094d5b98e5192b3c		 rtf-objdata-decoded RTF \objdata at offset 0x2D392 29243 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_02_off00040f05.bin
3ff68b64d0ce0ba621587381737e647b5e69080950f29c135a23582e8bed1fab		 rtf-objdata-decoded RTF \objdata at offset 0x40F05 29243 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_03_off00054b7f.bin
4ce5138fef18283d3ee4fae093d9084bee55338d1f77096b3ab7a8b071c73015		 rtf-objdata-decoded RTF \objdata at offset 0x54B7F 29243 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_04_off000688d1.bin
b90baf7dfc77b405a699c9f13095fb35c873193ae5c07a5e149f28300275f426		 rtf-objdata-decoded RTF \objdata at offset 0x688D1 29243 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_05_off0007c54e.bin
bebe7a6fa5234813f3bef9b7908503473ca7e7db36b73564e46c22b7b15858d5		 rtf-objdata-decoded RTF \objdata at offset 0x7C54E 29243 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_06_off0009029c.bin
7e77fa27846f6d39ce90829b7e15851c235314eaccf75a7374645e19dcb3f0ee		 rtf-objdata-decoded RTF \objdata at offset 0x9029C 29243 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_07_off000a3f13.bin
81a0133b82a608e931f892d6c28c93868ea7d181f3b8dfde8f7bf9efc09b889e		 rtf-objdata-decoded RTF \objdata at offset 0xA3F13 29243 bytes
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.