MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4488de9b8c97006d9784b08dd4d8d41de2473253dd4d58e93e8b2a68eb6a97db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash: 4488de9b8c97006d9784b08dd4d8d41de2473253dd4d58e93e8b2a68eb6a97db
SHA3-384 hash: 0f72a1643cde73df92c3b33c955c3975f877d6ac10ebdaf7cacc0cca5595cfb38b042957d87d6aa7c8fb2e45da2b0873
SHA1 hash: 269cae4a3a7031ffa89a96569ef95656395305f1
MD5 hash: 905d448a2c42320cd71429634f7c599f
humanhash: zulu-venus-uncle-edward
File name:ProjectXNo.88719_ECOFIX.rtf
Download: download sample
File size:123'376 bytes
First seen:2026-06-22 15:10:59 UTC
Last seen:Never
File type:Rich Text Format (RTF) rtf
MIME type:text/plain
ssdeep 384:mm8pSSeFvEk/OXT0+b/SKM9K0wFeDdKSRpbnIJxzMTHmMOhlQOAUQc2YLVz3Fvg:mLSSemL9/NoK0Jdi18mMOLvld2EVzV4
TLSH T1E4C378A8E79E01A4CF50623B432B980896FCB73EF711553670AC936433EDD2D89A597C
Magika txt
Reporter lowmal3
Tags:CVE-2017-11882 rtf

Intelligence


File Origin
# of uploads :
1
# of downloads :
47
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Project No.88719_ECOFIX.rtf
Verdict:
No threats detected
Analysis date:
2026-06-22 12:11:48 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/rtf
Has a screenshot:
False
Contains macros:
False
Verdict:
Malicious
Score:
94.9%
Tags:
shell micro sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Сreating synchronization primitives
Launching cmd.exe command interpreter
Possible injection to a system process
Connection attempt by exploiting the app vulnerability
Launching a file downloaded from the Internet
Sending a custom TCP request by exploiting the app vulnerability
Creating a process from a recently created file
Unauthorized injection to a system process
Result
Verdict:
Malicious
File Type:
RTF File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
corrupted packed
Verdict:
Malicious
File Type:
rtf
First seen:
2026-06-22T00:13:00Z UTC
Last seen:
2026-06-24T13:08:00Z UTC
Hits:
~10000
Detections:
Backdoor.Win32.Blakken.sb HEUR:Exploit.RTF.Generic Trojan-Spy.Noon.HTTP.ServerRequest Backdoor.Agent.HTTP.C&C Trojan.Win32.SpeedBit.sb Trojan.Win32.Shelma.sb Trojan-Dropper.Win32.Injector.sb Trojan-Dropper.MSOffice.SDrop.sb Trojan-Downloader.MSOffice.SLoad.sb HEUR:Trojan.MSIL.Crypt.gen Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Win32.Noon.sb Trojan-Downloader.MSOffice.Agent.sb HEUR:Exploit.MSOffice.CVE-2018-0802.gen Backdoor.Win32.Androm.sb HEUR:Exploit.MSOffice.CVE-2017-11882.g Trojan.MSIL.Inject.sb PDM:Trojan.Win32.Generic Exploit.MSOffice.CVE-2018-0802.b
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl
Score:
76 / 100
Signature
Antivirus / Scanner detection for submitted sample
Document exploit detected (process start blacklist hit)
Initial sample is an obfuscated RTF file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Verdict:
Malicious
Threat:
Trojan.Win32.CVE-2018-0802
Threat name:
Document-RTF.Exploit.CVE-2017-11882
Status:
Malicious
First seen:
2026-06-22 03:17:59 UTC
File Type:
Document
Extracted files:
4
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_INDICATOR_RTF_MalVer_Objects
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.
Reference:https://github.com/ditekshen/detection
Rule name:SUSP_RTF_Header_Anomaly_RID2F7F
Author:Florian Roth
Description:Detects malformed RTF header often used to trick mechanisms that check for a full RTF header
Reference:https://twitter.com/ItsReallyNick/status/975705759618158593

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Rich Text Format (RTF) rtf 4488de9b8c97006d9784b08dd4d8d41de2473253dd4d58e93e8b2a68eb6a97db

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments