MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8
SHA3-384 hash:	2d9a74c753ef8db0f5d4d911e4af5fc725856c356968daf662e63f5e62e3691483f16bc1f3cd0fbbdd58ba48d3be9ce9
SHA1 hash:	54ffba9d6f0efab7c4b2acd46532ad731fea51d3
MD5 hash:	486e0740c8dbe8322a3628cd74382b9d
humanhash:	wisconsin-friend-paris-maine
File name:	PEŁNOMOCNICTWO - Wasilewski K. Skorupki. 2025 doc.doc
Download:	download sample
File size:	65'536 bytes
First seen:	2025-12-23 17:16:44 UTC
Last seen:	Never
File type:	doc
MIME type:	application/msword
ssdeep	384:MtpmkFNHoszYyGcSYrmeNcNCQs2tK+dqW+h7OhQJilz0rFMj6I:MHfIQopCQK5WIOwV
TLSH	T15853500C31D78E01E52745364EFBC695AA37BC6DAFB15307225C3B2E6FB74600A51B62
TrID	78.9% (.DOC) Microsoft Word document (30000/1/2) 21.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	doc
Reporter	abuse_ch
Tags:	doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section ID	Section size	Section name
1	130 bytes	CompObj
2	4096 bytes	DocumentSummaryInformation
3	4096 bytes	SummaryInformation
4	6819 bytes	1Table
5	4096 bytes	Data
6	336 bytes	Macros/PROJECT
7	41 bytes	Macros/PROJECTwm
8	20015 bytes	Macros/VBA/ThisDocument
9	4637 bytes	Macros/VBA/_VBA_PROJECT
10	2169 bytes	Macros/VBA/__SRP_0
11	98 bytes	Macros/VBA/__SRP_1
12	2502 bytes	Macros/VBA/__SRP_2
13	101 bytes	Macros/VBA/__SRP_3
14	647 bytes	Macros/VBA/dir
15	9258 bytes	WordDocument

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO

Details

MSO

extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros

Link:

https://research.acce.ciphertechsolutions.com/results/21af5e53-d170-4b19-bf10-3a2aa88bc759/

Malware family:

n/a

ID:

File name:

_2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8.doc

Verdict:

No threats detected

Analysis date:

2025-12-23 17:25:20 UTC

Tags:

macros

Link:

https://app.any.run/tasks/43bd21aa-df0e-4d3b-897b-355f4a4bd4d4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Legit

File type:

application/msword

Has a screenshot:

False

Contains macros:

False

Detection(s):

TwinWave.EvilDoc.Marker_PCode.20231019.UNOFFICIAL

Sanesecurity.Badmacro.Doc.vbhish.UNOFFICIAL

Verdict:

Clean

Score:

89.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694aceaf01c7b4a8fe552220

Tags:

n/a

Result

Verdict:

Suspicious

File Type:

Legacy Word File with Macro

Link:

https://app.docguard.net/2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8/results/dashboard

Verdict:

Malicious

Labled as:

Msoffice/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8

Label:

Benign

Suspicious Score:

/10

Score Malicious:

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=f803f349-7cf4-4336-aaa1-df0a82b10b3c

Result

Verdict:

SUSPICIOUS

Link:

https://labs.inquest.net/dfi/sha256/2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8

Details

Document With Few Pages

Document contains between one and three pages of content. Most malicious documents are sparse in page count.

Verdict:

Clean

File Type:

doc

First seen:

2025-12-22T09:32:00Z UTC

Last seen:

2025-12-22T09:47:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8/results?tab=lookup

Result

Threat name:

n/a

Detection:

clean

Classification:

n/a

Score:

3 / 100

Link:

https://www.joesandbox.com/analysis/1838330

Behaviour

Behavior Graph:

n/a

Score:

93%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8

Verdict:

Malware

YARA:

6 match(es)

Tags:

Corrupted Office Document

Link:

https://app.malva.re/file/486e0740c8dbe8322a3628cd74382b9d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8

Threat name:

Document.Trojan.Heuristic

Status:

Malicious

First seen:

2025-12-23 17:17:32 UTC

File Type:

Document

Extracted files:

AV detection:

4 of 24 (16.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fwgudoi7vfvhytkqwveze72rbudiqzaf7g6sii5lilexzzs7vtea._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/251225-nya4daaq5x/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c6d7c429-0b54-4d6b-ae7d-bf1331aa83f3

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.10

Link:

https://yomi.yoroi.company/submissions/2d8d41b91fa96a7c4d50b549927f510d06886405f9bd2423ab42c97ce65facc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	informational_win_ole_protected Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Identify OLE Project protection within documents.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample