MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 373ca2f299acaf012ed9dfbae70579e10f49d881f669ef215e6d611faa78c818. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 373ca2f299acaf012ed9dfbae70579e10f49d881f669ef215e6d611faa78c818
SHA3-384 hash: ca66a5a3f76dc793d81facd5f4768c56e09c09322aac70d49d7eb584b155a5ac6abbeabdebd7ea661be2b5111bd8426a
SHA1 hash: 50d32bc7e2abfc5e897cc6d616d94c48adf980e4
MD5 hash: 6e7d9c64b1a463ea64520eaea68a044f
humanhash: saturn-uranus-foxtrot-freddie
File name:IMAGES____00999000008875443322EEEEEE.dOC
Download: download sample
File size:53'247 bytes
First seen:2025-09-18 15:26:11 UTC
Last seen:Never
File type:Word file doc
MIME type:text/rtf
ssdeep 384:JLLvdlnWkD5TorQiu7pFzR3n1VgGzr/QiVVEPHiAkWoa4byb56Jc9fT:xvdsSljr5nAGzr/QiEqAkhMbQJ0T
TLSH T1BE33F058E78F41A6CF546377432A0E8842FDB77EB71601B2B89D933037AD82D10A967D
TrID 83.3% (.RTF) Rich Text Format (5000/1)
16.6% (.JSON) JSON object (generic) (1000/1)
Magika txt
Reporter ShadowOpCode
Tags:172-245-4-220 45-61-134-233 CVE-2017-11882 doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

RTF Object

In this RTF file the following objects could be found:

IndexClass NameObjectFile sizeSHA256 hash
00001844hn/an/a1'782 bytes 9170b6887f90b5b4163747f12c574f5d6046251fb3baba1a9d2d8ea0dd9185fd

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EUR7158_52_SWIFT.docx.zip
Verdict:
Malicious activity
Analysis date:
2025-09-18 10:32:56 UTC
Tags:
cve-2017-11882 exploit
Link:
https://app.any.run/tasks/3c943311-5855-4717-a2aa-771f5cf7cc4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Shelter.Malware.BadRtf.ObjUpd.UNOFFICIAL
Create hunting rule

MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cc24bd246a2631bd30acbb
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Result
Verdict:
Malicious
File Type:
Fake RTF File
Link:
https://app.docguard.net/373ca2f299acaf012ed9dfbae70579e10f49d881f669ef215e6d611faa78c818/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embedequation exploit shellcode
Link:
https://www.filescan.io/uploads/68cc24bf254431b688d3360c/reports/1c35d51c-6700-48f8-b084-99b0839407cf/overview
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/373ca2f299acaf012ed9dfbae70579e10f49d881f669ef215e6d611faa78c818
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=df03abe5-04f8-4ad9-865f-6ea8e3fc12f2
Verdict:
Malicious
File Type:
rtf
First seen:
2025-09-18T05:48:00Z UTC
Last seen:
2025-09-18T05:48:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/373ca2f299acaf012ed9dfbae70579e10f49d881f669ef215e6d611faa78c818/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/373ca2f299acaf012ed9dfbae70579e10f49d881f669ef215e6d611faa78c818
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
RTF File
Link:
https://app.malva.re/file/6e7d9c64b1a463ea64520eaea68a044f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/373ca2f299acaf012ed9dfbae70579e10f49d881f669ef215e6d611faa78c818/
Threat name:
Document-RTF.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 07:52:30 UTC
File Type:
Document
Extracted files:
4
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g46kf4uzvsxqclwz365ooblz4ehutweb6zu66ik6nvqr7ktyzama._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250918-svj94axvav/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4e2e810d-f434-45ce-946b-082a9dd34d48
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.32
Link:
https://yomi.yoroi.company/submissions/373ca2f299acaf012ed9dfbae70579e10f49d881f669ef215e6d611faa78c818

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_INDICATOR_RTF_MalVer_Objects
Create hunting rule
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.
Reference:https://github.com/ditekshen/detection

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments