Xls.Malware.Valyria-6934880-0 — RTF malware analysis

Static analysis result for SHA-256 fe2eb895f13534b1…

MALICIOUS

RTF

737.1 KB Created: 2018-02-07 20:59:00 First seen: 2021-02-23
MD5: 306bed698ed9a2b33c376c4668dcb774 SHA-1: 754e53e33f2745bc86b98a27bdb837d083356780 SHA-256: fe2eb895f13534b1380c37f467e31b4f5ee42d092442924b5baac6b03325549e
202 Risk Score

Malware Insights

Xls.Malware.Valyria-6934880-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. ClamAV detections identify the embedded content as 'Xls.Malware.Valyria-6934880-0', suggesting it's designed to exploit vulnerabilities or deliver a malicious payload. The presence of embedded OLE objects and the ClamAV detection strongly indicate a malicious intent, likely involving exploitation for client execution.

Heuristics 5

  • ClamAV: Xls.Malware.Valyria-6934880-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-6934880-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c2a.bin rtf-objdata-decoded RTF \objdata at offset 0x2C2A 22587 bytes
SHA-256: 2a8d9c85b678ed47680ff2c4435258d8fc206d5cd19905af8260558f4781068b
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_01_off00013836.bin rtf-objdata-decoded RTF \objdata at offset 0x13836 22587 bytes
SHA-256: 1d2bd306ec41443b4b81fc07cf2f756459306e46624f9fdc7f6a6dec817d8dbb
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_02_off000243b7.bin rtf-objdata-decoded RTF \objdata at offset 0x243B7 22587 bytes
SHA-256: a8f52339d3d33ef6f8f4abf2785bbc1f378c95984c30161bda4d14ccd5fccf01
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_03_off00034f3a.bin rtf-objdata-decoded RTF \objdata at offset 0x34F3A 22587 bytes
SHA-256: 06ae281740a088ace231a440dd20a8a419c5f845e939c6f85abbba1d9e260727
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_04_off00045abd.bin rtf-objdata-decoded RTF \objdata at offset 0x45ABD 22587 bytes
SHA-256: 7fed26c2506522d28add82b44e8c56add72c99b0cb7203b3c8b3aa1147195fd4
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_05_off00056640.bin rtf-objdata-decoded RTF \objdata at offset 0x56640 22587 bytes
SHA-256: 824f28a3baad0dc727c4809640b4bf2e217cca879bff875d04cdae57b5fbbdee
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_06_off000671c3.bin rtf-objdata-decoded RTF \objdata at offset 0x671C3 22587 bytes
SHA-256: 8c614f1b5b2101a968d1ad260c1f1ad404723c285e4f16cdad338faf76a8ce5a
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_07_off00077d46.bin rtf-objdata-decoded RTF \objdata at offset 0x77D46 22587 bytes
SHA-256: 6c8edba4164485dfb6d2014c5d201a15e1ef9f1ec1433d33a1622dffa335bc8e
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_08_off000888c9.bin rtf-objdata-decoded RTF \objdata at offset 0x888C9 22587 bytes
SHA-256: 2e203a9aebf5097f4ebd1918f4a83e1863a23259991128eb0a6fa08c27a524a5
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely
objdata_09_off0009944c.bin rtf-objdata-decoded RTF \objdata at offset 0x9944C 22587 bytes
SHA-256: 19a54e01937797bddc1b84cf2bd192c4ee517ca89ed320f137ad409a072f1261
Detection
ClamAV: Xls.Malware.Valyria-6934880-0
Obfuscation or payload: unlikely