MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26d010db11e473432f103bbf30faf2b9660db59b6a9f7a9cf177115823fdec4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Maldoc score: 9

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	26d010db11e473432f103bbf30faf2b9660db59b6a9f7a9cf177115823fdec4b
SHA3-384 hash:	630e62087b93432295d1957e6e6ded3f79fe334a03fe4fd919c053a97c933b37ada2a3b7aca6586330f8adeb3f8f5744
SHA1 hash:	841af6ca2e1e9086656078356e841a5d8005fb2f
MD5 hash:	3068bccd49a6089cd004c7b274f4ea0b
humanhash:	wisconsin-edward-green-queen
File name:	Request#9023EQ.xls
Download:	download sample
File size:	563'712 bytes
First seen:	2026-06-02 15:47:12 UTC
Last seen:	2026-06-08 14:48:06 UTC
File type:	xls
MIME type:	application/vnd.ms-excel
ssdeep	12288:pEcwekXhe3+hWNjKJYK4UVaKIL7d5ArxgGNq1I3EpFeWQim:pHt3uxJAUAer6k3Me
TLSH	T13FC41255B2E4AFA6C027B47ECE8810EE1428ED306B16E14F318437CD35BB7D69A1E65C
TrID	34.9% (.XLS) Microsoft Excel sheet (32500/1/3) 30.1% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3) 26.3% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2) 8.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	xls
Reporter	TomU
Tags:	cve-2017-0199 xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 9

Application name is Microsoft Excel

File Format is MS Excel 97-2003

Container Format is OLE

Office document is in encrypted

Office document contains VBA Macros

OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section ID	Section size	Section name
1	114 bytes	CompObj
2	244 bytes	DocumentSummaryInformation
3	200 bytes	SummaryInformation
4	99 bytes	MBD001C2AD3/CompObj
5	335227 bytes	MBD001C2AD3/Package
6	564 bytes	MBD001C2AD4/Ole
7	209417 bytes	Workbook
8	527 bytes	_VBA_PROJECT_CUR/PROJECT
9	104 bytes	_VBA_PROJECT_CUR/PROJECTwm
10	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet1
11	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet2
12	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet3
13	985 bytes	_VBA_PROJECT_CUR/VBA/ThisWorkbook
14	2644 bytes	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
15	553 bytes	_VBA_PROJECT_CUR/VBA/dir

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
Suspicious	Hex Strings	Hex-encoded strings were detected, may beused to obfuscate strings (option --decode tosee all)

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO

Details

MSO

extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros

Link:

https://research.acce.ciphertechsolutions.com/results/8e22470c-5df7-4243-b1fb-e49e0c88a501/

Malware family:

n/a

ID:

File name:

xls

Verdict:

No threats detected

Analysis date:

2026-06-02 15:57:39 UTC

Tags:

qrcode

Link:

https://app.any.run/tasks/3b93d813-c674-4786-90e5-c6aaa047d52d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68827/

Detection(s):

SecuriteInfo.com.Exploit.CVE-2017-0199-3.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a1efb09f8676ad4d3606255

Tags:

office macro micro

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

macros

Link:

https://www.filescan.io/uploads/6a1efb05099ef368af172258/reports/2189406c-dea1-446f-a892-40cd3a6f2bcc/overview

Verdict:

Malicious

Labled as:

CVE-2017-0199

Link:

https://www.hybrid-analysis.com/sample/26d010db11e473432f103bbf30faf2b9660db59b6a9f7a9cf177115823fdec4b

Label:

Malicious

Suspicious Score:

10/10

Score Malicious:

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=03dbf9fa-7f57-418e-8ba3-1e2019484f23

Verdict:

Malicious

File Type:

xls

First seen:

2026-06-01T00:48:00Z UTC

Last seen:

2026-06-04T12:10:00Z UTC

Hits:

~100

Detections:

Trojan-Downloader.Agent.HTTP.C&C HEUR:Trojan.OLE2.UrcBadur.genw HEUR:Trojan-Downloader.MSOffice.Agent.gen HEUR:Exploit.MSOffice.CVE-2017-0199.gen

Link:

https://opentip.kaspersky.com/26d010db11e473432f103bbf30faf2b9660db59b6a9f7a9cf177115823fdec4b/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/26d010db11e473432f103bbf30faf2b9660db59b6a9f7a9cf177115823fdec4b

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/26d010db11e473432f103bbf30faf2b9660db59b6a9f7a9cf177115823fdec4b/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/26d010db11e473432f103bbf30faf2b9660db59b6a9f7a9cf177115823fdec4b

Threat name:

Win32.Exploit.CVE-2017-0199

Status:

Malicious

First seen:

2026-06-01 12:55:48 UTC

File Type:

Document

Extracted files:

115

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e3ibbwyr4rzuglyqho7tb6xsxfta3nm3nkpxvhhro4ivqi755rfq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

persistence ransomware

Link:

https://tria.ge/reports/260602-s8w6taax4m/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/26d010db11e473432f103bbf30faf2b9660db59b6a9f7a9cf177115823fdec4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	informational_win_ole_protected Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Identify OLE Project protection within documents.

Rule name:	XLS_STRINGS Create hunting rule
Author:	somedieyoungZZ
Description:	Detect Strings targeting Bangladesh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xls 26d010db11e473432f103bbf30faf2b9660db59b6a9f7a9cf177115823fdec4b

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/68827/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample