MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41d5f3d7248164c110416a2558037f2cfaa87de694dfa6d2c4dc6685e7473f9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash: 41d5f3d7248164c110416a2558037f2cfaa87de694dfa6d2c4dc6685e7473f9e
SHA3-384 hash: 7e37d2ba8af8af285e3907e93e75df40f4e1ea5ebf994c831f8c959fcea9c8ce9516e9ce2a15dffe4c575368e169bd6c
SHA1 hash: 3e64085c64c590649e9543dab1682cc93e13570b
MD5 hash: 4dc6574363c2c300d01bc8c0cd84a6f8
humanhash: pizza-black-winner-wyoming
File name:3178350XRFQ.xls
Download: download sample
File size:78'336 bytes
First seen:2026-07-03 17:50:22 UTC
Last seen:2026-07-03 17:51:14 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 768:dqSYWVUhNeLD4nzvVK8Ul75wAw6tnqtUw2mOLt88aGnEe6khlIOQ+i+hBDPbQeh7:AOAZ57U7tnNmO88ie9xQATcehwPB7Z8
TLSH T10573F17533B1DA09D180C1756CD1C6D74A20BC9BAE07898B3984B34D1F7A5D2FE47A3A
TrID 34.9% (.XLS) Microsoft Excel sheet (32500/1/3)
30.1% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3)
26.3% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
8.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter TomU
Tags:xls

Intelligence


File Origin
# of uploads :
2
# of downloads :
70
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_41d5f3d7248164c110416a2558037f2cfaa87de694dfa6d2c4dc6685e7473f9e.xls
Verdict:
No threats detected
Analysis date:
2026-07-03 17:53:27 UTC
Tags:
doc-url qrcode

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
text/xml
Has a screenshot:
False
Contains macros:
False
Verdict:
Malicious
Score:
94.1%
Tags:
office macro micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Connection attempt by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Payload URLs
URL
File name
http://000010217725041/httpswww.gartner.comennewsroompress-releases2025-05-13-gartner-identifies-top-trends-shaping-the-future-of-cloud.php
Embedded Ole
Behaviour
SuspiciousRTF detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
macros
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Verdict:
Malicious
File Type:
xls
First seen:
2026-06-15T02:39:00Z UTC
Last seen:
2026-07-05T10:25:00Z UTC
Hits:
~10000
Detections:
HEUR:Trojan.OLE2.Badur.genw HEUR:Trojan-Downloader.MSOffice.Agent.gen Trojan.MSOffice.SAgent.sb Trojan-Downloader.Agent.HTTP.C&C PDM:Exploit.Win32.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.OLE2.UrcBadur.genw HEUR:Trojan.HTA.SAgent.gen HEUR:Exploit.MSOffice.CVE-2017-0199.gen
Gathering data
Threat name:
Win32.Trojan.Ravartar
Status:
Malicious
First seen:
2026-06-15 08:54:40 UTC
File Type:
Document
Extracted files:
38
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
persistence ransomware
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:XLS_STRINGS
Author:somedieyoungZZ
Description:Detect Strings targeting Bangladesh

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Excel file xls 41d5f3d7248164c110416a2558037f2cfaa87de694dfa6d2c4dc6685e7473f9e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments