MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and triggers their activation via \objupdate, exploiting CVE-2017-8759. ClamAV signatures indicate this is a variant of Xls.Malware.Valyria-6934880-0. The embedded objects are likely used to download and execute a secondary payload, a common technique for initial execution.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Xls.Malware.Valyria-6934880-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6934880-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002ca9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2CA9 | 22587 bytes |
SHA-256: 04018179e406bb7d90b655976596f58b77247ca69fa467b5074e749aaa87bd0b |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001392f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1392F | 22587 bytes |
SHA-256: 2db52fcdf063249669e78b9604467fb8efffe3951488f1d58083c8c6fd117f94 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002452a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2452A | 22587 bytes |
SHA-256: 163a58840a3a719cbff36a2e8c37387c32299945b1077f74ed9c551cea33b311 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00035127.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x35127 | 22587 bytes |
SHA-256: 03b7fcee9bd37c3ae8a6b08e9f978041336788270b9485e6dc8c1ea73ef66863 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00045d24.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x45D24 | 22587 bytes |
SHA-256: 715d982d8c23b90f0349a206cc997afbb45c16dae07d1cf639c1a6b4d7d8c495 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00056921.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x56921 | 22587 bytes |
SHA-256: 9b6fc690aaf37e615b701bb72d4128b1146227f6dc38e1f2735e760bd4f24ce3 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0006751e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6751E | 22587 bytes |
SHA-256: f00dbcb7867ff7573ce2f9b5a174bd4ee8e4a97042905c54c6080fbcbec128a3 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0007811b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7811B | 22587 bytes |
SHA-256: 6ba625d7ab2438f10234ff436d89ffb338990fd08fd82f71957ad7bab48bc933 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00088d18.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x88D18 | 22587 bytes |
SHA-256: 95dfc9245778e2944d2a8a483252708b5b20958e999cec82f6dff7e1a4252482 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off00099915.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x99915 | 22587 bytes |
SHA-256: 2ca73d1628a11a7da0e60bce474e018b1f57e9bf2b794dd6ae7704f6305c0697 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.