Xls.Malware.Valyria-10036093-0 — RTF malware analysis

Static analysis result for SHA-256 e25e3333db573b70…

MALICIOUS

RTF

1.09 MB Created: 2018-04-16 First seen: 2021-02-23
MD5: 4958f718d47061f2e9e2064f8ac94e06 SHA-1: ad83b4e0ab304e9b9b103a696c0239d1c575de4c SHA-256: e25e3333db573b70ca342d5d040800d030c3e8348983a2592de415297b0b5b3b
242 Risk Score

Malware Insights

Xls.Malware.Valyria-10036093-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with \objupdate directives indicating an attempt to automatically activate them. High heuristic scores for excessive hex data within these objects suggest they are used to hide a malicious payload. ClamAV detection confirms this, identifying the sample as Xls.Malware.Valyria-10036093-0, which likely exploits a vulnerability to execute code.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6940944-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6940944-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1037KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 14 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c45.bin rtf-objdata-decoded RTF \objdata at offset 0x2C45 27195 bytes
SHA-256: 8f77caad7536aaf7c794c61be64730f488a4bb7527872f871c1858eb1df2a02a
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_01_off00016074.bin rtf-objdata-decoded RTF \objdata at offset 0x16074 27195 bytes
SHA-256: 3462ac8f1d152b5d2abcba3120ade63c6c7df763e772ae7a749fc59076f915de
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_02_off000294a3.bin rtf-objdata-decoded RTF \objdata at offset 0x294A3 27195 bytes
SHA-256: c5d43ccc85eb901efaff9f947283ef97697785d021759415af5220588c57399d
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_03_off0003c8d2.bin rtf-objdata-decoded RTF \objdata at offset 0x3C8D2 27195 bytes
SHA-256: 4a555788a751e536ee7f324baae5e09b169c8b5c76f8a7871ab870eac2b3c175
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_04_off0004fd01.bin rtf-objdata-decoded RTF \objdata at offset 0x4FD01 27195 bytes
SHA-256: 42cc3ef0eaa4fca7df3cc2202073e79d1d52c230a700a0126e96564b37a640ee
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_05_off00063130.bin rtf-objdata-decoded RTF \objdata at offset 0x63130 27195 bytes
SHA-256: 560e8ef1b1bf31659f2c1006b9fba1b5e9d6d56e4bd065cec167ee59b8f62f1f
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_06_off0007655f.bin rtf-objdata-decoded RTF \objdata at offset 0x7655F 27195 bytes
SHA-256: 90d9a1b4fe1f99c11aec3fe4defef7aaeaab067bd808f4808936a3d3d5c90f09
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_07_off000899da.bin rtf-objdata-decoded RTF \objdata at offset 0x899DA 27195 bytes
SHA-256: 2c5b7c593cf5a0e5afee5a289ce386a37a3ff5bfbb0d9b4b08f098224c868d27
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_08_off0009ce09.bin rtf-objdata-decoded RTF \objdata at offset 0x9CE09 27195 bytes
SHA-256: 5e1f7423e07c2b8d120782e066b8602b9775126090d1342b75f523fa1a610ab0
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_09_off000b0238.bin rtf-objdata-decoded RTF \objdata at offset 0xB0238 27195 bytes
SHA-256: e8341172c9d1927e4e61a0379ae1ecd4f87f6b91702797b4f81c46f44c066169
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_10_off000c3667.bin rtf-objdata-decoded RTF \objdata at offset 0xC3667 27195 bytes
SHA-256: a409cefb70af7eb25ccf6c3efb2519b573a5098ecca6404c58273cb13884f867
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_11_off000d6a96.bin rtf-objdata-decoded RTF \objdata at offset 0xD6A96 27195 bytes
SHA-256: 76cd5e94a142c80068d87025e2e62e76080ccf91f71c9c4bfdbed9266a3524ae
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_12_off000e9ec5.bin rtf-objdata-decoded RTF \objdata at offset 0xE9EC5 27195 bytes
SHA-256: e67355db11c94033dfad501995b61a5e8cd714ceb516971cd248a220d48dac5a
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely
objdata_13_off000fd2f4.bin rtf-objdata-decoded RTF \objdata at offset 0xFD2F4 27195 bytes
SHA-256: 3641520e5797e823ec6f6c88933c4034fa3473f9c5e9ccc122ca3a2ddc6051bf
Detection
ClamAV: Doc.Dropper.Agent-6940944-0
Obfuscation or payload: unlikely