Xls.Malware.Valyria-10036093-0 — RTF malware analysis

Static analysis result for SHA-256 4e6f29e5be01e073…

MALICIOUS

RTF

833.2 KB Created: 2018-03-07 05:13:00 First seen: 2021-02-23
MD5: 03ecf49dca7c86114ea60926528d678b SHA-1: 70971c22441d41794c1808c1f693234182ca7e1b SHA-256: 4e6f29e5be01e0739cc9067dfb053e4539fd6027dff0ae6cb1f26b944d863eda
202 Risk Score

Malware Insights

Xls.Malware.Valyria-10036093-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with one being forcefully updated via \objupdate. ClamAV detections, specifically 'Xls.Malware.Valyria-10036093-0', strongly indicate malicious content within these embedded objects. The presence of OLE objects and the forced update suggest an attempt to execute malicious code upon opening the document.

Heuristics 5

  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cb7.bin rtf-objdata-decoded RTF \objdata at offset 0x2CB7 27707 bytes
SHA-256: 48e8815d3afb7232993f209ddf671f08d223824ba4d853777142fbfd4412b2f9
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off000169ab.bin rtf-objdata-decoded RTF \objdata at offset 0x169AB 27707 bytes
SHA-256: 88bb0aeafb1469a9c24e24bf16b8a367457cadf987d2fd6790c91c7db39d1e23
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_02_off0002a69f.bin rtf-objdata-decoded RTF \objdata at offset 0x2A69F 27707 bytes
SHA-256: fab4854806e6978bd573adab15fa016d47ee354e42c1179131ea135aa52fc1ef
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_03_off0003e393.bin rtf-objdata-decoded RTF \objdata at offset 0x3E393 27707 bytes
SHA-256: d3f679bf19b4fc33304364f3cd2aaaeca76f251ecd544c8cae1f980f54ace7e9
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_04_off00052087.bin rtf-objdata-decoded RTF \objdata at offset 0x52087 27707 bytes
SHA-256: 4e2b81c717a6c547fd66c823dd0fc6525e91ee1ad55cb012faf2688634b7fc9b
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_05_off00065dc7.bin rtf-objdata-decoded RTF \objdata at offset 0x65DC7 27707 bytes
SHA-256: ef856c0b6ac5bcd8f01e9f840324a654e5e55c80ea18e49db65fe4ddbc880674
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_06_off00079abb.bin rtf-objdata-decoded RTF \objdata at offset 0x79ABB 27707 bytes
SHA-256: 2a6d00e51a8673ed90b4e527bbc4a886d075a4d86521016e874b6bbef17d62af
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_07_off0008d7af.bin rtf-objdata-decoded RTF \objdata at offset 0x8D7AF 27707 bytes
SHA-256: 952d3d7a4b3d52ac89d6f4668546ea9b27cccf738f1ddd1b278862ef6226373e
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_08_off000a14a3.bin rtf-objdata-decoded RTF \objdata at offset 0xA14A3 27707 bytes
SHA-256: 79d6d701437103693dd9ed817f2514beeedcc3d0410ca01f29900f43f05477a4
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_09_off000b5197.bin rtf-objdata-decoded RTF \objdata at offset 0xB5197 27707 bytes
SHA-256: 2221207f647222b9dd7dcb46daf12056f43e9f8da8ce54e5f2465436fa327251
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely