MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple embedded OLE objects, with one being forcefully updated via \objupdate. ClamAV detections, specifically 'Xls.Malware.Valyria-10036093-0', strongly indicate malicious content within these embedded objects. The presence of OLE objects and the forced update suggest an attempt to execute malicious code upon opening the document.
Heuristics 5
-
ClamAV: Xls.Malware.Valyria-10036093-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10036093-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 9 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c71.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C71 | 26171 bytes |
SHA-256: 0a362cdd9dd953b7ec33aedf7dabe68d9dc5c1067699549b570c362dc0b0ad28 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off000152bc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x152BC | 26171 bytes |
SHA-256: 4267144724e3cff5012847f1017dac1148e2af7838e37a0066e137ccf51b2947 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00027909.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x27909 | 26171 bytes |
SHA-256: 5b605c0b31a7fcc187d577154d78f94d6ab0ebc1dea05df14a6ec166a85333a7 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00039f56.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x39F56 | 26171 bytes |
SHA-256: e508bfd552b7eaada1dfba23739571fe43793f91e1f68d55e108ea0c3e242dfb |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0004c5a3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4C5A3 | 26171 bytes |
SHA-256: 3a7508019ace8ab198f7d3933fc4f82c9a06b2beb07c7ee40afb52065d9ba2d0 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0005ebf0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5EBF0 | 26171 bytes |
SHA-256: 26517601bb87844a53c3f6627d74c62e735670845ac993efbee7002dee626966 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0007123d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7123D | 26171 bytes |
SHA-256: f0b4b5d527c74600368ae06ae0de461b3cc9525b1af4ac614f084481b8e334cd |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0008388a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8388A | 26171 bytes |
SHA-256: 51852fb9c31433d4df4797be7ec8134a636a622620d6b7013ad11e8e0a85325c |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00095ed7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x95ED7 | 26171 bytes |
SHA-256: 5d1937cf5f1a27459c1af5e79d0c5d2768519a8bf0b5e08a6986adc0a2dab9a3 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10036093-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.