MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04
SHA3-384 hash: 60e18029c30da3a5ac446e242e11b8e5df048a64b26035e48e6f1e6ca3a826b08502a91861fac39d321477436554053d
SHA1 hash: 581edcc35bb6751719b9f2a497021800885c0204
MD5 hash: 459a8eb5c77c6a257e9349246b18c664
humanhash: robert-lion-angel-music
File name:Copia de Copia de 3.3.90 María Grande 19-12-2025.xlsm
Download: download sample
File size:612'387 bytes
First seen:2025-12-23 17:17:12 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:k6WfUhPlwLBa9qsoxbM7LIfwuM3ut7aVndUXTPYIH4pmQ:k6WfUl6LBrN+nIflM+RKMgRoQ
TLSH T153D4239E8D30F88EDD8864722E4F025E8EE575ECF1A6231D0DE142DE4ED8D421B479AD
TrID 42.4% (.XLAM) Excel Macro-enabled Open XML add-in (83500/1/13)
29.2% (.XLSM) Excel Microsoft Office Open XML Format document (with Macro) (57500/1/12)
17.3% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
8.9% (.ZIP) Open Packaging Conventions container (17500/1/4)
2.0% (.ZIP) ZIP compressed archive (4000/1)
Magika xlsb
Reporter abuse_ch
Tags:xlsm

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

Embedded Images

MalwareBazaar found the following images embedded in this file:

MD5 hashdc.creator# of relations
8bae11611d81b9770d6a533593518380None
OLE dump

MalwareBazaar was able to identify 77 sections in this file using oledump:

Section IDSection sizeSection name
A197 bytesBneBrowser/CompObj
A2266 bytesBneBrowser/VBFrame
A338 bytesBneBrowser/f
A40 bytesBneBrowser/o
A597 bytesBneUploadSettings/CompObj
A6262 bytesBneUploadSettings/VBFrame
A7551 bytesBneUploadSettings/f
A8516 bytesBneUploadSettings/o
A91712 bytesPROJECT
A1030 bytesPROJECTlk
A111046 bytesPROJECTwm
A1230967 bytesVBA/BneBrowser
A135493 bytesVBA/BneDownloadHTTPHandler
A148670 bytesVBA/BneLayout
A159644 bytesVBA/BneLayoutBlock
A167021 bytesVBA/BneLayoutColumn
A1715952 bytesVBA/BneSummarySheet
A186627 bytesVBA/BneUploadSettings
A1934548 bytesVBA/BneVBAGraph
A207672 bytesVBA/BneVBAGraphs
A2111248 bytesVBA/BneVBAInterfaceCol
A2214960 bytesVBA/BneVBAMessage
A235953 bytesVBA/BneVBAMessages
A244117 bytesVBA/BneVBAParameter
A255811 bytesVBA/BneVBAParameters
A2612615 bytesVBA/BneVBAProperties
A276308 bytesVBA/BneVBAProperty
A2891052 bytesVBA/BneVBAUploader
A291179 bytesVBA/Hoja4
A30105661 bytesVBA/Sheet1
A312061 bytesVBA/Sheet2
A3298972 bytesVBA/ThisWorkbook
A3342806 bytesVBA/_VBA_PROJECT
A3435386 bytesVBA/__SRP_0
A357499 bytesVBA/__SRP_1
A361504 bytesVBA/__SRP_10
A37612 bytesVBA/__SRP_11
A381504 bytesVBA/__SRP_12
A39620 bytesVBA/__SRP_13
A402868 bytesVBA/__SRP_14
A411252 bytesVBA/__SRP_15
A422712 bytesVBA/__SRP_16
A431110 bytesVBA/__SRP_17
A447065 bytesVBA/__SRP_18
A452596 bytesVBA/__SRP_19
A462066 bytesVBA/__SRP_1a
A47864 bytesVBA/__SRP_1b
A48464 bytesVBA/__SRP_1c
A49106 bytesVBA/__SRP_1d
A5028901 bytesVBA/__SRP_1e
A514790 bytesVBA/__SRP_1f
A5224437 bytesVBA/__SRP_2
A53464 bytesVBA/__SRP_20
A54106 bytesVBA/__SRP_21
A556175 bytesVBA/__SRP_22
A56892 bytesVBA/__SRP_23
A572230 bytesVBA/__SRP_24
A58746 bytesVBA/__SRP_25
A595116 bytesVBA/__SRP_3
A6019884 bytesVBA/__SRP_4
A618552 bytesVBA/__SRP_5
A628810 bytesVBA/__SRP_6
A633634 bytesVBA/__SRP_7
A645453 bytesVBA/__SRP_8
A652698 bytesVBA/__SRP_9
A661204 bytesVBA/__SRP_a
A67480 bytesVBA/__SRP_b
A684706 bytesVBA/__SRP_c
A691734 bytesVBA/__SRP_d
A701308 bytesVBA/__SRP_e
A71644 bytesVBA/__SRP_f
A72125036 bytesVBA/bneMain
A7316096 bytesVBA/bneMsgLogger
A7414860 bytesVBA/bneReadOnlyUtils
A7528814 bytesVBA/bneRibbonUtils
A762620 bytesVBA/dir

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted OLE packages, if they are present within the input OOXML document
Link:
https://research.acce.ciphertechsolutions.com/results/21167628-c5da-4583-b729-f8de33c42e23/
Malware family:
n/a
ID:
1
File name:
_3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04.zip
Verdict:
No threats detected
Analysis date:
2025-12-23 17:17:53 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/1c568c08-a630-4c34-bef1-b82cbe002084

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
text/xml
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45907/
Detection(s):
TwinWave.EvilDoc.Remcos.LostBoy.20220609.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.StringBuidlersEveryRoseHasItsThorn.20210308.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Xls.dl2shell.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694acebb01c7b4a8fe552232
Tags:
office macro micro
Result
Verdict:
Malicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Labled as:
Msoffice/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04
Label:
Benign
Suspicious Score:
/10
Score Malicious:
%
Score Benign:
1%
Link:
https://www.malware.ai/gui/files/?id=2de07722-d4d9-46e6-b7d4-b3f247c29d02
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro with File System Read
Detected macro logic that can read data from the file system.
Excel Macro Manipulates Hidden Sheets
Detected macro logic designed to hide a sheet within the current, or another spreadsheet. This technique is not necessarily indicative of malicious behavior as hidden sheets have legitimate uses.
Shell.Application Object
Detected the instantiation of Shell Application object within the macro.
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Verdict:
Clean
File Type:
xlsm
Link:
https://opentip.kaspersky.com/3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1838355
Signature
Document contains an embedded VBA macro which might access itself as a file (possible anti-VM)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04
Verdict:
Malware
YARA:
3 match(es)
Tags:
ATT&CK T1564.007 Blacklist VBA DeObfuscated Malicious Malicious Document Obfuscated Office Document Scripting.FileSystemObject Shell.Application T1059.005 VBA Stomping VBScript
Link:
https://app.malva.re/file/459a8eb5c77c6a257e9349246b18c664
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04
Threat name:
Document.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-23 00:55:30 UTC
File Type:
Document
Extracted files:
177
AV detection:
3 of 24 (12.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxggooufje267gfbsmy5kfrcaafimy4wuqypqeaupfnz3suznica._file
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/3dcc673a854935ef98a19331d51622000a866396a430f81014795b9dca996a04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Hancitor
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hancitor
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:TA505_Maldoc_21Nov_2
Create hunting rule
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:weird_png_data_after_end
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects data suspiciously located after a PNG's end header
Reference:https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45907/

Comments