Malicious RTF — malware analysis report

Static analysis result for SHA-256 c6892fbba2a4db78…

MALICIOUS

RTF

705.9 KB Created: 2018-02-07 19:26:00 First seen: 2021-02-23
MD5: 34e123f1d645eb22eabf9a0468f331dc SHA-1: c2b37eba99fe9488f23501dbecc3b1db44ea2734 SHA-256: c6892fbba2a4db782d50e4814bafa327266bb3024af01726ab11ed3964ea29b3
202 Risk Score

Heuristics 5

  • ClamAV: Xls.Malware.Valyria-6934880-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-6934880-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000029f5.bin rtf-objdata-decoded RTF \objdata at offset 0x29F5 22587 bytes
SHA-256: 2c66b14fce7f75c581ac548eeae4fde7bd8918371aed61ea57322e90a8da89ab
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_01_off000135a4.bin rtf-objdata-decoded RTF \objdata at offset 0x135A4 22587 bytes
SHA-256: c7dd725b6c6c263188b6f0bbb8e45039111d4d590f231217ca8e40dadbe5aa83
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_02_off000240ca.bin rtf-objdata-decoded RTF \objdata at offset 0x240CA 22587 bytes
SHA-256: 11dfb0d2ae7c470b107bd98a8d299bb3d09fe62230106adb336bb3c8010f757e
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_03_off00034bf2.bin rtf-objdata-decoded RTF \objdata at offset 0x34BF2 22587 bytes
SHA-256: 2bf09fe8d9656f8828b4d54fe50964412dd576ac7f36e033859ab39770738c76
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_04_off00045766.bin rtf-objdata-decoded RTF \objdata at offset 0x45766 22587 bytes
SHA-256: 2d2d1a45aa920ce2960ef1e26364cbc660e7976d729d4aeb525fec157842fb07
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_05_off0005628e.bin rtf-objdata-decoded RTF \objdata at offset 0x5628E 22587 bytes
SHA-256: 8f0635a612480adf091d3c5591bf2783d9d70c3fc04c1bb8cc7d40657be34c8b
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_06_off00066db6.bin rtf-objdata-decoded RTF \objdata at offset 0x66DB6 22587 bytes
SHA-256: 8f4439f82297eccaf7b9fe53a48fcbe8a76e26662d2cbf5c4b5594c927296a70
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_07_off000778de.bin rtf-objdata-decoded RTF \objdata at offset 0x778DE 22587 bytes
SHA-256: d2e020653aa1f943f1759a2f7670417aa95eb93f2aef3028e491475e72fccb98
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_08_off00088406.bin rtf-objdata-decoded RTF \objdata at offset 0x88406 22587 bytes
SHA-256: 16fc6f12595103f4392125b8eaff3feab830d7acfc026f07629c2971b3682d94
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_09_off00098f2e.bin rtf-objdata-decoded RTF \objdata at offset 0x98F2E 22587 bytes
SHA-256: a6a1855f3bbcd68ee113b7807a282f3741c42bf330488a81dd2f2e95d516caa3
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.