MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The RTF document contains multiple OLE objects with ".\objupdate" directives, indicating an attempt to trigger embedded code execution. ClamAV detections confirm this as a malicious variant of Xls.Malware.Valyria. The primary attack vector appears to be exploiting OLE object vulnerabilities to deliver a malicious payload.
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Valyria-10036093-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10036093-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 8 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0001e5b0.bin4cce5b01c45e9bb2f345db9b0ef9e86a28211f9c06b2fb92cce16025ae340806 |
rtf-objdata-decoded | RTF \objdata at offset 0x1E5B0 | 28219 bytes |
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00031907.binb4d79e3a4470b2865409ea1681e9e425c43069f6e8f83c01e2e300c9495956f6 |
rtf-objdata-decoded | RTF \objdata at offset 0x31907 | 28731 bytes |
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00055227.binb293f5a737a9a1749e51617848035e5940664d880253315db735073a724815b8 |
rtf-objdata-decoded | RTF \objdata at offset 0x55227 | 28219 bytes |
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00074e59.bin032059635ac700e8ad70c0b7edef11189ece930982f6b253a6c3c5df42fe1053 |
rtf-objdata-decoded | RTF \objdata at offset 0x74E59 | 28219 bytes |
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00088303.binf684090be53a50c30f7f63f3b6ffa26a301e03c80b5aaa7decc193520607c21e |
rtf-objdata-decoded | RTF \objdata at offset 0x88303 | 28219 bytes |
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0009b763.binff70193b8cd417599f799272c281ee9130cd94dd39b130782d11db8c8711b727 |
rtf-objdata-decoded | RTF \objdata at offset 0x9B763 | 28219 bytes |
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000aebc1.bind613f955ed25f63f5baaf0e06a9f08d41efbd63e57bf56bcb82f8c8e30088ad8 |
rtf-objdata-decoded | RTF \objdata at offset 0xAEBC1 | 28219 bytes |
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000c201f.bin3400e424e704052569237748e9dc678ed21e5dbfff6fb98f35403798d062cb9c |
rtf-objdata-decoded | RTF \objdata at offset 0xC201F | 28219 bytes |
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.