Xls.Malware.Valyria-10036093-0 — RTF malware analysis

Static analysis result for SHA-256 b2066744355b9f3e…

MALICIOUS

RTF

413.3 KB Created: 2021-07-01 12:33:00 First seen: 2021-07-07
MD5: 74be4b7a414f35f782187e6fdb9aacd0 SHA-1: aa0f0bf2ca8cff2acf135e879707a8129a79198d SHA-256: b2066744355b9f3ef968c6a1168fb05d1c9bdfb30b117acee156638799ec9fb8
202 Risk Score

Malware Insights

Xls.Malware.Valyria-10036093-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with one being forcefully updated via \objupdate. ClamAV detections, specifically 'Xls.Malware.Valyria-10036093-0', strongly indicate malicious content within these embedded objects. The presence of OLE objects and the forced update suggest an attempt to execute malicious code upon opening the document.

Heuristics 5

  • ClamAV: Xls.Malware.Valyria-10036093-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036093-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 6 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000290f.bin rtf-objdata-decoded RTF \objdata at offset 0x290F 21563 bytes
SHA-256: 00735e77c47266a86a9fc44fea4069b64b6c858f58389b678fc4d5e982d014b7
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_01_off000127f2.bin rtf-objdata-decoded RTF \objdata at offset 0x127F2 21563 bytes
SHA-256: 88375f748366a212d61caf8a91edb7856726c914a0d4060b3f23aecf01b16019
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_02_off000226d3.bin rtf-objdata-decoded RTF \objdata at offset 0x226D3 21563 bytes
SHA-256: 87b7b2e3b194e7f3929b5985158c35ddc4e5b88d5a1b913e041e9a5c7ea31de2
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_03_off000325b4.bin rtf-objdata-decoded RTF \objdata at offset 0x325B4 21563 bytes
SHA-256: 0c933092a96808b16efd4fec73aa213646c2bdd87c6021b7b66ab9d08453c702
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_04_off0004259c.bin rtf-objdata-decoded RTF \objdata at offset 0x4259C 21563 bytes
SHA-256: b251f8558a201d34235354034b9f38d2debb6bcfad27b2e7f37f4e12464edbb6
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely
objdata_05_off00052584.bin rtf-objdata-decoded RTF \objdata at offset 0x52584 21563 bytes
SHA-256: eff3d880501e17ff75d21c904ec741805031414e58bd8121f60c04bb191e29f4
Detection
ClamAV: Xls.Malware.Valyria-10036093-0
Obfuscation or payload: unlikely