MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b
SHA3-384 hash:	88c9d1c802067114ede26b714e2c16d8c2d4121a84cde0eab16a95635e78c3a96512737c1979aa27c6e227def86397c1
SHA1 hash:	dfa4f708534f56df03b96572cc9bdfcfbbc3a795
MD5 hash:	7e76dde042f79b2216713b2d86110d75
humanhash:	eighteen-stairway-winter-video
File name:	58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b.doc
Download:	download sample
File size:	54'066 bytes
First seen:	2025-11-05 13:29:15 UTC
Last seen:	Never
File type:	doc
MIME type:	text/rtf
ssdeep	768:h6VaqiO/zSMxMZ1TMEY9eUb75FlBJowgDdJHU:2a6/zS2IZa5LondW
TLSH	T16C33BD99D38F05A5CF54A77B132A4A0946FCB33EB30841B174AC933037EEC2D59A5578
TrID	83.3% (.RTF) Rich Text Format (5000/1) 16.6% (.JSON) JSON object (generic) (1000/1)
Magika	txt
Reporter	JAMESWT_WT
Tags:	185-149-24-201 62-60-239-118 CVE-2017-11882 doc Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Ordine acquisto ODA25002173.docx

Verdict:

No threats detected

Analysis date:

2025-11-05 13:33:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e8a3e58f-cf7e-43dc-ae23-c9a75c802501

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Shelter.Malware.BadRtf.ObjUpd.UNOFFICIAL

MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL

TwinWave.EvilRTF.ObfusRunAway.20240409.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690b51445a5ed7864e23205e

Tags:

office trojan spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Searching for synchronization primitives

Launching a process

Creating a window

Sending an HTTP GET request

Creating a file in the %AppData% directory

Сreating synchronization primitives

Connection attempt by exploiting the app vulnerability

Launching a file downloaded from the Internet

Creating a process from a recently created file

Result

Verdict:

Malicious

File Type:

Fake RTF File

Link:

https://app.docguard.net/58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b/results/dashboard

Behaviour

BlacklistAPI detected

Gathering data

Verdict:

Malicious

Labled as:

CVE-2017-11882

Link:

https://www.hybrid-analysis.com/sample/58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b

Label:

Malicious

Suspicious Score:

10/10

Score Malicious:

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=fbb5e722-3a1d-4dda-b8cd-0ee48a92f75c

Verdict:

Malicious

File Type:

rtf

First seen:

2025-11-05T08:38:00Z UTC

Last seen:

2025-11-05T10:19:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b

Verdict:

inconclusive

YARA:

2 match(es)

Tags:

RTF File

Link:

https://app.malva.re/file/7e76dde042f79b2216713b2d86110d75

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b/

Verdict:

Malicious

Threat:

Exploit.MSOffice.XWorm

Link:

https://tip.neiki.dev/file/58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b

Threat name:

Document-RTF.Exploit.CVE-2017-11882

Status:

Malicious

First seen:

2025-11-05 13:31:08 UTC

File Type:

Document

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ldhamoynb7jep4f5iodlzuivepds2xmyiukx55wjxhzansqwzv5q._file

Verdict:

malicious

Label(s):

unc_loader_037

purecrypter

katzstealer

Similar samples:

error

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/251105-qrg98asqdm/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/92c5bea3-fe1e-4c9d-b6d9-30b3e4851ec9

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/58ce063b0d0f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_INDICATOR_RTF_MalVer_Objects Create hunting rule
Author:	ditekSHen
Description:	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.
Reference:	https://github.com/ditekshen/detection

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample