MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d1f1322b1f81a3071dcbc82ad89f648def2cbd77bd78368be2545e0660901f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Maldoc score: 1928

Intelligence 11 IOCs YARA 10 File information Comments

SHA256 hash:	4d1f1322b1f81a3071dcbc82ad89f648def2cbd77bd78368be2545e0660901f2
SHA3-384 hash:	aa4aff94613516d713a2e49c8ed3aa3bbecd6c601dbeab9cd45b9f09922578d420b1cc5c0fd4c0c1396a4f1849200fea
SHA1 hash:	f8c8efe101635ed66c31bed2a575a162fd87822f
MD5 hash:	2d658f5faa429aad9134d4364a658f20
humanhash:	ack-arkansas-lemon-ohio
File name:	march paye.xlsm
Download:	download sample
File size:	589'939 bytes
First seen:	2026-06-04 14:28:31 UTC
Last seen:	Never
File type:	xlsm
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	12288:RlI5mhFj3mq69kMMxKCXNQDVaxOV5oogw/g//bps9MEoxN6K:R7nUWPNSaUsNw/Cbp48NF
TLSH	T1A8C4236DAF6BD08DC3074A3EC71D56712608BF00D056C25A3211FE19AA7E0FE979F998
TrID	42.4% (.XLAM) Excel Macro-enabled Open XML add-in (83500/1/13) 29.2% (.XLSM) Excel Microsoft Office Open XML Format document (with Macro) (57500/1/12) 17.3% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7) 8.9% (.ZIP) Open Packaging Conventions container (17500/1/4) 2.0% (.ZIP) ZIP compressed archive (4000/1)
Magika	xlsx
Reporter	abuse_ch
Tags:	xlsm

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 1928

File Format is MS Excel 2007+

Container Format is OpenXML

Office document contains VBA Macros

Embedded Images

MalwareBazaar found the following images embedded in this file:

MD5 hash	dc.creator	# of relations
ce962e4c224659f5676af80f1ad42917	User	3
96727a767e41d041e03c4eccf924479e	User	3
350cc44640f3636fbd2e4781d8384a04	User	3
d62d83ad6bb9e15044016d0053a3ce69	User	3
6f49a8fc9937d54e1400d626a514d217	User	3
79c7f9b4406f754356dd44a2d1b10493	User	3
68371bea104f7d95d767cf32588fb6b8	User	3

OLE dump

MalwareBazaar was able to identify 66 sections in this file using oledump:

Section ID	Section size	Section name
A1	1482 bytes	PROJECT
A2	503 bytes	PROJECTwm
A3	50500 bytes	VBA/CSHA256
A4	620227 bytes	VBA/Module1
A5	24585 bytes	VBA/Module2
A6	85262 bytes	VBA/Module3
A7	1180 bytes	VBA/Sheet1
A8	1181 bytes	VBA/Sheet11
A9	36728 bytes	VBA/Sheet14
A10	5645 bytes	VBA/Sheet17
A11	1180 bytes	VBA/Sheet2
A12	1181 bytes	VBA/Sheet20
A13	1181 bytes	VBA/Sheet21
A14	5611 bytes	VBA/Sheet221
A15	5611 bytes	VBA/Sheet222
A16	1181 bytes	VBA/Sheet25
A17	1180 bytes	VBA/Sheet3
A18	1180 bytes	VBA/Sheet4
A19	1180 bytes	VBA/Sheet6
A20	36560 bytes	VBA/Sheet7
A21	6825 bytes	VBA/Sheet8
A22	39969 bytes	VBA/Sheet9
A23	11871 bytes	VBA/ThisWorkbook
A24	30042 bytes	VBA/_VBA_PROJECT
A25	36263 bytes	VBA/__SRP_0
A26	4706 bytes	VBA/__SRP_1
A27	464 bytes	VBA/__SRP_10
A28	106 bytes	VBA/__SRP_11
A29	464 bytes	VBA/__SRP_12
A30	106 bytes	VBA/__SRP_13
A31	464 bytes	VBA/__SRP_14
A32	106 bytes	VBA/__SRP_15
A33	464 bytes	VBA/__SRP_16
A34	106 bytes	VBA/__SRP_17
A35	464 bytes	VBA/__SRP_18
A36	106 bytes	VBA/__SRP_19
A37	14460 bytes	VBA/__SRP_1a
A38	182 bytes	VBA/__SRP_1b
A39	464 bytes	VBA/__SRP_1c
A40	106 bytes	VBA/__SRP_1d
A41	464 bytes	VBA/__SRP_1e
A42	106 bytes	VBA/__SRP_1f
A43	95160 bytes	VBA/__SRP_2
A44	876 bytes	VBA/__SRP_20
A45	258 bytes	VBA/__SRP_21
A46	464 bytes	VBA/__SRP_22
A47	106 bytes	VBA/__SRP_23
A48	464 bytes	VBA/__SRP_24
A49	106 bytes	VBA/__SRP_25
A50	12953 bytes	VBA/__SRP_26
A51	1258 bytes	VBA/__SRP_27
A52	17486 bytes	VBA/__SRP_3
A53	3655 bytes	VBA/__SRP_4
A54	720 bytes	VBA/__SRP_5
A55	3452 bytes	VBA/__SRP_6
A56	2018 bytes	VBA/__SRP_7
A57	796 bytes	VBA/__SRP_8
A58	232 bytes	VBA/__SRP_9
A59	1096 bytes	VBA/__SRP_a
A60	332 bytes	VBA/__SRP_b
A61	19040 bytes	VBA/__SRP_c
A62	232 bytes	VBA/__SRP_d
A63	6936 bytes	VBA/__SRP_e
A64	682 bytes	VBA/__SRP_f
A65	1045 bytes	VBA/dir

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Workbook_Open	Runs when the Excel Workbook is opened
AutoExec	Workbook_Activate	Runs when the Excel Workbook is opened
AutoExec	Workbook_BeforeClose	Runs when the Excel Workbook is closed
AutoExec	Worksheet_Change	Runs when the file is opened and ActiveXobjects trigger events
Hex String	3UD1	33554431
Hex String	3UD2	33554432
Hex String	esT	650A7354
IOC	http://www.frez.co.uk	URL
IOC	7z.exe	Executable file name
String		code and P-code are different, this may havebeen used to hide malicious code
Suspicious	Open	May open a file
Suspicious	Write	May write to a file (if combined with Open)
Suspicious	put	May write to a file (if combined with Open)
Suspicious	Output	May write to a file (if combined with Open)
Suspicious	binary	May read or write a binary file (if combinedwith Open)
Suspicious	FileCopy	May copy a file
Suspicious	CopyHere	May copy a file
Suspicious	Kill	May delete a file
Suspicious	CreateTextFile	May create a text file
Suspicious	Shell	May run an executable file or a systemcommand
Suspicious	vbNormal	May run an executable file or a systemcommand
Suspicious	vbHide	May run an executable file or a systemcommand
Suspicious	WScript.Shell	May run an executable file or a systemcommand
Suspicious	Create	May execute file or a system command throughWMI
Suspicious	MkDir	May create a directory
Suspicious	ActiveWorkbook.SaveAs	May save the current workbook
Suspicious	CreateObject	May create an OLE object
Suspicious	GetObject	May get an OLE object with a running instance
Suspicious	Shell.Application	May run an application (if combined withCreateObject)
Suspicious	Windows	May enumerate application windows (ifcombined with Shell.Application object)
Suspicious	Lib	May run code from a DLL
Suspicious	Chr	May attempt to obfuscate specific strings(use option --deobf to deobfuscate)
Suspicious	Xor	May attempt to obfuscate specific strings(use option --deobf to deobfuscate)
Suspicious	RegRead	May read registry keys
Suspicious	System	May run an executable file or a systemcommand on a Mac (if combined withlibc.dylib)
Suspicious	Hex Strings	Hex-encoded strings were detected, may beused to obfuscate strings (option --decode tosee all)
Suspicious	Base64 Strings	Base64-encoded strings were detected, may beused to obfuscate strings (option --decode tosee all)

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO

Details

MSO

extracted OLE packages, if they are present within the input OOXML document

Link:

https://research.acce.ciphertechsolutions.com/results/0551151e-0eac-4d79-a4be-6584fad8d17f/

Malware family:

n/a

ID:

File name:

xlsm

Verdict:

No threats detected

Analysis date:

2026-06-04 14:31:20 UTC

Tags:

macros macros-on-open

Link:

https://app.any.run/tasks/f0d5cb75-6348-4b5c-861f-1fd8ef39c082

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

File type:

application/octet-stream

Has a screenshot:

False

Contains macros:

False

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68998/

Detection(s):

TwinWave.EvilDoc.CROKissFromARose.M4.20201215.UNOFFICIAL

Sanesecurity.Badmacro.XlsM.objshell.UNOFFICIAL

Sanesecurity.Badmacro.Doc.Specell.UNOFFICIAL

Verdict:

Suspicious

Score:

50%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a218bc5f8676ad4d36107e9

Tags:

office macro micro

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Result

Verdict:

Malicious

File Type:

Excel File with Macro

Link:

https://app.docguard.net/4d1f1322b1f81a3071dcbc82ad89f648def2cbd77bd78368be2545e0660901f2/results/dashboard

Behaviour

BlacklistAPI detected

Document image

Image:

Download PNG

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/4d1f1322b1f81a3071dcbc82ad89f648def2cbd77bd78368be2545e0660901f2

Label:

Benign

Suspicious Score:

/10

Score Malicious:

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=86ee8c10-17b0-4b2d-ba20-f431346a1906

Verdict:

Clean

File Type:

xlsm

Link:

https://opentip.kaspersky.com/4d1f1322b1f81a3071dcbc82ad89f648def2cbd77bd78368be2545e0660901f2/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1923051

Signature

Detected evasive VBA macro (filename check)

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with hexadecimal encoded strings

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/4d1f1322b1f81a3071dcbc82ad89f648def2cbd77bd78368be2545e0660901f2

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d1f1322b1f81a3071dcbc82ad89f648def2cbd77bd78368be2545e0660901f2/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/4d1f1322b1f81a3071dcbc82ad89f648def2cbd77bd78368be2545e0660901f2

Threat name:

Document.Trojan.Heuristic

Status:

Malicious

First seen:

2026-06-04 13:01:07 UTC

File Type:

Document

Extracted files:

174

AV detection:

3 of 23 (13.04%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=juprgivr7anda4o4xsbk3cpwjdppfs6xpplyg2f6evc6azqjahza._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/260604-rtpmraht4k/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/4d1f1322b1f81a3071dcbc82ad89f648def2cbd77bd78368be2545e0660901f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	detect_tiny_vbs Create hunting rule
Author:	daniyyell
Description:	Detects tiny VBS delivery technique

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	informational_win_ole_protected Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Identify OLE Project protection within documents.

Rule name:	TA505_Maldoc_21Nov_2 Create hunting rule
Author:	Arkbird_SOLG
Description:	invitation (1).xls
Reference:	https://twitter.com/58_158_177_102/status/1197432303057637377

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/68998/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample