Xls.Malware.Valyria-10036093-0 — RTF malware analysis

Static analysis result for SHA-256 5dd183011dbba484…

MALICIOUS

RTF

437.6 KB Created: 2021-07-01 11:40:00 First seen: 2021-07-07
MD5: 0b9c04f60fb26c3e88d3e4a431086d54 SHA-1: af630b33b1fdb4611b3f750d35c0f81efe9d89e3 SHA-256: 5dd183011dbba484286c8bcfba3c968a2e540d9ada06f009b3f6c2fb7df48e70
202 Risk Score

Malware Insights

Xls.Malware.Valyria-10036093-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with one being forcefully updated via \objupdate. ClamAV detections, specifically 'Xls.Malware.Valyria-10036093-0', strongly indicate malicious content within these embedded objects. The presence of OLE objects and the forced update suggest an attempt to execute malicious code upon opening the document.

Heuristics 5

  • ClamAV: Xls.Malware.Valyria-10036093-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036093-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 6 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002919.bin rtf-objdata-decoded RTF \objdata at offset 0x2919 23611 bytes
SHA-256: 22444f3fe3652f297e7247367b759ade8cf93fe165030114db7eabe92b21216c
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_01_off00013822.bin rtf-objdata-decoded RTF \objdata at offset 0x13822 23611 bytes
SHA-256: f41c4128063c323df436ed5042c4e3d8613e86963536900bce71644341f94080
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_02_off00024729.bin rtf-objdata-decoded RTF \objdata at offset 0x24729 23611 bytes
SHA-256: d1ef4cf74c172db44e23100f14af1af11fcc9d3bc7d9378b2b47727ee81714b3
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_03_off00035630.bin rtf-objdata-decoded RTF \objdata at offset 0x35630 23611 bytes
SHA-256: 8b5a01f5aaf5778febf9b90431f96b76557aa74312c2586a33180e90cbb36411
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_04_off0004663e.bin rtf-objdata-decoded RTF \objdata at offset 0x4663E 23611 bytes
SHA-256: fcd5baef5d645ca58cc19eb938ce8a81518dd10304e87b2cad9f3b5e2e02a290
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_05_off0005764c.bin rtf-objdata-decoded RTF \objdata at offset 0x5764C 23611 bytes
SHA-256: 4cb737484b138296d329da8ebda557a335564a8f1cc2a46ef41cd3da2c186533
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.