Xls.Malware.Valyria-10036093-0 — RTF malware analysis

Static analysis result for SHA-256 ebcd26aadf74b09b…

MALICIOUS

RTF

571.2 KB Created: 2018-03-12 23:04:00 First seen: 2021-02-23
MD5: e9c2afd655068ffd23f7f046e3b90081 SHA-1: d23afd9a74489fec69c63171a0356664a4aaff1f SHA-256: ebcd26aadf74b09b755356452e0ba1141baadcc177d9e6fccb5e3cad11dcb208
202 Risk Score

Malware Insights

Xls.Malware.Valyria-10036093-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with one being forcefully updated via \objupdate. ClamAV detections, specifically 'Xls.Malware.Valyria-10036093-0', strongly indicate malicious content within these embedded objects. The presence of OLE objects and the forced update suggest an attempt to execute malicious code upon opening the document.

Heuristics 5

  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 7 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c51.bin rtf-objdata-decoded RTF \objdata at offset 0x2C51 28731 bytes
SHA-256: 314cc12d81e846507ecf39857e279672bfed2ee8353eb725ecefa5187a02b5f6
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off00016c98.bin rtf-objdata-decoded RTF \objdata at offset 0x16C98 28731 bytes
SHA-256: 194fdcd863df82e186d264a0b12c49437c9df10da125ecbe386d751f879b3845
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_03_off0003ed26.bin rtf-objdata-decoded RTF \objdata at offset 0x3ED26 28731 bytes
SHA-256: 9be7b16e2ec7f725790a241d9aaed9fc16cb5d5be2a99ce25fd7eb431f75bcb1
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_05_off00066db4.bin rtf-objdata-decoded RTF \objdata at offset 0x66DB4 28731 bytes
SHA-256: 658b0159f3d930aec1fe894a6378dbc466f7afc9d103cbbf9ebcdda9217085fe
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely