MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple embedded OLE objects, with one being forcefully updated via \objupdate. ClamAV detections, specifically 'Xls.Malware.Valyria-10036093-0', strongly indicate malicious content within these embedded objects. The presence of OLE objects and the forced update suggest an attempt to execute malicious code upon opening the document.
Heuristics 5
-
ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002cb7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2CB7 | 27707 bytes |
SHA-256: 48e8815d3afb7232993f209ddf671f08d223824ba4d853777142fbfd4412b2f9 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off000169ab.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x169AB | 27707 bytes |
SHA-256: 88bb0aeafb1469a9c24e24bf16b8a367457cadf987d2fd6790c91c7db39d1e23 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002a69f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A69F | 27707 bytes |
SHA-256: fab4854806e6978bd573adab15fa016d47ee354e42c1179131ea135aa52fc1ef |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003e393.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3E393 | 27707 bytes |
SHA-256: d3f679bf19b4fc33304364f3cd2aaaeca76f251ecd544c8cae1f980f54ace7e9 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00052087.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x52087 | 27707 bytes |
SHA-256: 4e2b81c717a6c547fd66c823dd0fc6525e91ee1ad55cb012faf2688634b7fc9b |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00065dc7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x65DC7 | 27707 bytes |
SHA-256: ef856c0b6ac5bcd8f01e9f840324a654e5e55c80ea18e49db65fe4ddbc880674 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00079abb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x79ABB | 27707 bytes |
SHA-256: 2a6d00e51a8673ed90b4e527bbc4a886d075a4d86521016e874b6bbef17d62af |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0008d7af.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8D7AF | 27707 bytes |
SHA-256: 952d3d7a4b3d52ac89d6f4668546ea9b27cccf738f1ddd1b278862ef6226373e |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000a14a3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA14A3 | 27707 bytes |
SHA-256: 79d6d701437103693dd9ed817f2514beeedcc3d0410ca01f29900f43f05477a4 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b5197.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB5197 | 27707 bytes |
SHA-256: 2221207f647222b9dd7dcb46daf12056f43e9f8da8ce54e5f2465436fa327251 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.