MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple embedded OLE objects, with one being forcefully updated via \objupdate. ClamAV detections, specifically 'Xls.Malware.Valyria-10036093-0', strongly indicate malicious content within these embedded objects. The presence of OLE objects and the forced update suggest an attempt to execute malicious code upon opening the document.
Heuristics 5
-
ClamAV: Xls.Malware.Valyria-10036093-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10036093-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 6 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000290f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x290F | 21563 bytes |
SHA-256: 00735e77c47266a86a9fc44fea4069b64b6c858f58389b678fc4d5e982d014b7 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off000127f2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x127F2 | 21563 bytes |
SHA-256: 88375f748366a212d61caf8a91edb7856726c914a0d4060b3f23aecf01b16019 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off000226d3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x226D3 | 21563 bytes |
SHA-256: 87b7b2e3b194e7f3929b5985158c35ddc4e5b88d5a1b913e041e9a5c7ea31de2 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000325b4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x325B4 | 21563 bytes |
SHA-256: 0c933092a96808b16efd4fec73aa213646c2bdd87c6021b7b66ab9d08453c702 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0004259c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4259C | 21563 bytes |
SHA-256: b251f8558a201d34235354034b9f38d2debb6bcfad27b2e7f37f4e12464edbb6 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00052584.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x52584 | 21563 bytes |
SHA-256: eff3d880501e17ff75d21c904ec741805031414e58bd8121f60c04bb191e29f4 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.