MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. ClamAV detections identify the embedded content as 'Xls.Malware.Valyria-6934880-0', suggesting it's designed to exploit vulnerabilities or deliver a malicious payload. The presence of embedded OLE objects and the ClamAV detection strongly indicate a malicious intent, likely involving exploitation for client execution.
Heuristics 5
-
ClamAV: Xls.Malware.Valyria-6934880-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6934880-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c2a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C2A | 22587 bytes |
SHA-256: 2a8d9c85b678ed47680ff2c4435258d8fc206d5cd19905af8260558f4781068b |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00013836.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x13836 | 22587 bytes |
SHA-256: 1d2bd306ec41443b4b81fc07cf2f756459306e46624f9fdc7f6a6dec817d8dbb |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off000243b7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x243B7 | 22587 bytes |
SHA-256: a8f52339d3d33ef6f8f4abf2785bbc1f378c95984c30161bda4d14ccd5fccf01 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00034f3a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x34F3A | 22587 bytes |
SHA-256: 06ae281740a088ace231a440dd20a8a419c5f845e939c6f85abbba1d9e260727 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00045abd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x45ABD | 22587 bytes |
SHA-256: 7fed26c2506522d28add82b44e8c56add72c99b0cb7203b3c8b3aa1147195fd4 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00056640.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x56640 | 22587 bytes |
SHA-256: 824f28a3baad0dc727c4809640b4bf2e217cca879bff875d04cdae57b5fbbdee |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000671c3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x671C3 | 22587 bytes |
SHA-256: 8c614f1b5b2101a968d1ad260c1f1ad404723c285e4f16cdad338faf76a8ce5a |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off00077d46.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77D46 | 22587 bytes |
SHA-256: 6c8edba4164485dfb6d2014c5d201a15e1ef9f1ec1433d33a1622dffa335bc8e |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000888c9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x888C9 | 22587 bytes |
SHA-256: 2e203a9aebf5097f4ebd1918f4a83e1863a23259991128eb0a6fa08c27a524a5 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0009944c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9944C | 22587 bytes |
SHA-256: 19a54e01937797bddc1b84cf2bd192c4ee517ca89ed320f137ad409a072f1261 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.