MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4acfcdad53d661fdf3619adf8e27cdcf86873016cd39c82ce0017bea39932bc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4acfcdad53d661fdf3619adf8e27cdcf86873016cd39c82ce0017bea39932bc1
SHA3-384 hash: 13f5248c09aaefb927367837f0538a47ffcfac439cee7e948eeacb5ec0ca96a2d871b6a129112cabd397ba888563a668
SHA1 hash: 6b8de3ddbd914d051a345f3b145cc07bd78feeb2
MD5 hash: 58322e957e9ef4dbb9703cae852fce5e
humanhash: yankee-london-earth-december
File name:cbe1.pdf.lnk
Download: download sample
File size:2'980 bytes
First seen:2025-12-24 02:01:17 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8Ayw/BHYVKVWf+/CWzAt2VFv7kaHqaj5CCh5oeAm1dd79dsrabqOl:8y5aX2V9AaKaj5CChieAm1dJ9AauO
TLSH T1CF518A001EEA1218F3778B715BF9B3668577F854DD385BAD004E86442733650E4B6F6B
Magika lnk
Reporter smica83
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/31685624-49d6-4e11-8927-799274820721/
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20220719.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221102.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694b497701c7b4a8fe5545a8
Tags:
obfuscate xtreme shell
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/4acfcdad53d661fdf3619adf8e27cdcf86873016cd39c82ce0017bea39932bc1/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive masquerade powershell powershell
Link:
https://www.filescan.io/uploads/694b49763f8fdbf8e9509987/reports/062b93ef-0dda-4690-837c-2c16538ae276/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/LNK.Agent
Link:
https://www.hybrid-analysis.com/sample/4acfcdad53d661fdf3619adf8e27cdcf86873016cd39c82ce0017bea39932bc1
Result
Gathering data
Verdict:
Malicious
File Type:
lnk
First seen:
2025-12-23T18:35:00Z UTC
Last seen:
2025-12-23T22:10:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/4acfcdad53d661fdf3619adf8e27cdcf86873016cd39c82ce0017bea39932bc1/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1838587
Signature
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LNK With Padded Argument
Behaviour
Behavior Graph:
Download SVG
Verdict:
Malware
YARA:
2 match(es)
Tags:
Batch Command Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:powershell.exe Malicious PowerShell PowerShell Call T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/58322e957e9ef4dbb9703cae852fce5e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4acfcdad53d661fdf3619adf8e27cdcf86873016cd39c82ce0017bea39932bc1/
Threat name:
Shortcut.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-12-23 22:48:34 UTC
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlh43lkt2zq7343btlpy4j6nz6diomawzu44qlhaaf56uomtfpaq._file
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4acfcdad53d661fdf3619adf8e27cdcf86873016cd39c82ce0017bea39932bc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXT_EXPL_ZTH_LNK_EXPLOIT_A
Create hunting rule
Author:Peter Girnus
Description:This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.
Reference:https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Shortcut (lnk) lnk 4acfcdad53d661fdf3619adf8e27cdcf86873016cd39c82ce0017bea39932bc1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3741567/
  
Delivery method
Distributed via web download

Comments


Avatar
commented on 2025-12-24 07:43:47 UTC

Payload delivery URL:
https://64.95.10.212/default.mp4