MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7
SHA3-384 hash:	967e2285f9c1b36c2c6a6e4e3e20835c48b41d97a5438c16532555153471f0dc8ba1df21466e20c97a25dbaa3d56c3fc
SHA1 hash:	0b8bcc6d8dce1c4eb87e2ca847a0009a9922914b
MD5 hash:	1cba6ac19b745742ac1b7fbbe7e7da5c
humanhash:	september-sweet-bravo-yellow
File name:	PEŁNOMOCNICTWO - Dębicki M. Skorupki. 2025 doc.doc
Download:	download sample
File size:	65'536 bytes
First seen:	2025-12-23 17:16:46 UTC
Last seen:	Never
File type:	doc
MIME type:	application/msword
ssdeep	384:uxWBVtyFNHbyGcSYrmeJVBNK02tK+dqW+h7OhQJilz0rFMj6I:DV0fzErKy5WIOwV
TLSH	T1BC534F0C71D78E01E423453A4AFBC6946B37BD6EAFB15307225C3B2E6FB74600A91B52
TrID	78.9% (.DOC) Microsoft Word document (30000/1/2) 21.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	doc
Reporter	abuse_ch
Tags:	doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section ID	Section size	Section name
1	130 bytes	CompObj
2	4096 bytes	DocumentSummaryInformation
3	4096 bytes	SummaryInformation
4	6803 bytes	1Table
5	4096 bytes	Data
6	336 bytes	Macros/PROJECT
7	41 bytes	Macros/PROJECTwm
8	20015 bytes	Macros/VBA/ThisDocument
9	4637 bytes	Macros/VBA/_VBA_PROJECT
10	2169 bytes	Macros/VBA/__SRP_0
11	98 bytes	Macros/VBA/__SRP_1
12	2502 bytes	Macros/VBA/__SRP_2
13	101 bytes	Macros/VBA/__SRP_3
14	647 bytes	Macros/VBA/dir
15	9258 bytes	WordDocument

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO

Details

MSO

extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros

Link:

https://research.acce.ciphertechsolutions.com/results/0811a65d-1fbe-4c88-9940-6bcabff1ea1b/

Malware family:

n/a

ID:

File name:

_17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7.doc

Verdict:

No threats detected

Analysis date:

2025-12-23 17:30:07 UTC

Tags:

macros

Link:

https://app.any.run/tasks/193ecd06-b1c2-4e3f-aee6-38b30c5cfeac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Legit

File type:

application/msword

Has a screenshot:

False

Contains macros:

False

Detection(s):

TwinWave.EvilDoc.Marker_PCode.20231019.UNOFFICIAL

Sanesecurity.Badmacro.Doc.vbhish.UNOFFICIAL

Verdict:

Clean

Score:

89.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694aceb2038f10550b55237b

Tags:

n/a

Result

Verdict:

Suspicious

File Type:

Legacy Word File with Macro

Link:

https://app.docguard.net/17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive language-pl vbastomped

Link:

https://www.filescan.io/uploads/694acea0e126b9ff438ead4b/reports/70ce5d19-fc0f-4afa-8bf6-927460244d00/overview

Verdict:

Malicious

Labled as:

Msoffice/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7

Label:

Benign

Suspicious Score:

/10

Score Malicious:

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=e880d466-a804-4036-b821-bd232123cb99

Result

Verdict:

SUSPICIOUS

Link:

https://labs.inquest.net/dfi/sha256/17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7

Details

Document With Few Pages

Document contains between one and three pages of content. Most malicious documents are sparse in page count.

Verdict:

Clean

File Type:

doc

First seen:

2025-12-22T09:32:00Z UTC

Last seen:

2025-12-22T09:47:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7/results?tab=lookup

Result

Threat name:

n/a

Detection:

clean

Classification:

n/a

Score:

3 / 100

Link:

https://www.joesandbox.com/analysis/1838329

Behaviour

Behavior Graph:

n/a

Score:

89%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7

Verdict:

Malware

YARA:

6 match(es)

Tags:

Corrupted Office Document

Link:

https://app.malva.re/file/1cba6ac19b745742ac1b7fbbe7e7da5c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7

Threat name:

Document.Trojan.Heuristic

Status:

Malicious

First seen:

2025-12-23 17:17:33 UTC

File Type:

Document

Extracted files:

AV detection:

4 of 24 (16.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4qvkkocw2dhtbot26ncvjhswb6lyavoa6sjiqnvz42jqhevkx3q._file

Gathering data

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8384aa5f-e70c-4d51-a539-905ceb11d98c

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.10

Link:

https://yomi.yoroi.company/submissions/17215529c2b6867985d3d79a2aa4f2b07cbc02ae07a49441b5cf34981c9555f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	informational_win_ole_protected Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Identify OLE Project protection within documents.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample