MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple embedded OLE objects, with \objupdate directives indicating an attempt to automatically activate them. High heuristic scores for excessive hex data within these objects suggest they are used to hide a malicious payload. ClamAV detection confirms this, identifying the sample as Xls.Malware.Valyria-10036093-0, which likely exploits a vulnerability to execute code.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6940944-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6940944-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1037KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 14 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 14
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c45.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C45 | 27195 bytes |
SHA-256: 8f77caad7536aaf7c794c61be64730f488a4bb7527872f871c1858eb1df2a02a |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00016074.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16074 | 27195 bytes |
SHA-256: 3462ac8f1d152b5d2abcba3120ade63c6c7df763e772ae7a749fc59076f915de |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off000294a3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x294A3 | 27195 bytes |
SHA-256: c5d43ccc85eb901efaff9f947283ef97697785d021759415af5220588c57399d |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003c8d2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C8D2 | 27195 bytes |
SHA-256: 4a555788a751e536ee7f324baae5e09b169c8b5c76f8a7871ab870eac2b3c175 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0004fd01.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4FD01 | 27195 bytes |
SHA-256: 42cc3ef0eaa4fca7df3cc2202073e79d1d52c230a700a0126e96564b37a640ee |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00063130.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x63130 | 27195 bytes |
SHA-256: 560e8ef1b1bf31659f2c1006b9fba1b5e9d6d56e4bd065cec167ee59b8f62f1f |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0007655f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7655F | 27195 bytes |
SHA-256: 90d9a1b4fe1f99c11aec3fe4defef7aaeaab067bd808f4808936a3d3d5c90f09 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000899da.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x899DA | 27195 bytes |
SHA-256: 2c5b7c593cf5a0e5afee5a289ce386a37a3ff5bfbb0d9b4b08f098224c868d27 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0009ce09.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9CE09 | 27195 bytes |
SHA-256: 5e1f7423e07c2b8d120782e066b8602b9775126090d1342b75f523fa1a610ab0 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b0238.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB0238 | 27195 bytes |
SHA-256: e8341172c9d1927e4e61a0379ae1ecd4f87f6b91702797b4f81c46f44c066169 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000c3667.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC3667 | 27195 bytes |
SHA-256: a409cefb70af7eb25ccf6c3efb2519b573a5098ecca6404c58273cb13884f867 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_11_off000d6a96.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD6A96 | 27195 bytes |
SHA-256: 76cd5e94a142c80068d87025e2e62e76080ccf91f71c9c4bfdbed9266a3524ae |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_12_off000e9ec5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE9EC5 | 27195 bytes |
SHA-256: e67355db11c94033dfad501995b61a5e8cd714ceb516971cd248a220d48dac5a |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
objdata_13_off000fd2f4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xFD2F4 | 27195 bytes |
SHA-256: 3641520e5797e823ec6f6c88933c4034fa3473f9c5e9ccc122ca3a2ddc6051bf |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940944-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.