MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c70a7edff808a2fc109f26ebffc728cb39a3b28eb492417302167292f83dc44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c70a7edff808a2fc109f26ebffc728cb39a3b28eb492417302167292f83dc44
SHA3-384 hash: 7e417121dd7ef892a7f0b707e6a218c49118aeca0157c79b81f17ba4a0bec91e19371c924ddec37bae28d8d56c99140d
SHA1 hash: 1a016becbfbfe9d4a8cc28511c096942b415bbe7
MD5 hash: 7e94fbb8330f2a994eb2f707aac45c14
humanhash: romeo-utah-papa-johnny
File name:5c70a7edff808a2fc109f26ebffc728cb39a3b28eb492417302167292f83dc44.rtf
Download: download sample
File size:115'645 bytes
First seen:2026-02-04 05:12:40 UTC
Last seen:2026-02-04 06:21:23 UTC
File type:Rich Text Format (RTF) rtf
MIME type:text/rtf
ssdeep 3072:MBKQCtr8Fa2PGFkrKvxXwT66wP/WlwVI+fBjeghaMn01oOHr:H5roZShWjwHawVIEAoaMn+oOHr
TLSH T117B3BF2EE74F0915DF55A6BB034A4E490AFCB33DB38140A139AC977437ADC2E466287C
TrID 83.3% (.RTF) Rich Text Format (5000/1)
16.6% (.JSON) JSON object (generic) (1000/1)
Magika unknown
Reporter JAMESWT_WT
Tags:CVE-2017-11882 mismilahioluwadoam-duckdns-org rtf

Intelligence

File Origin
# of uploads :
2
# of downloads :
37
Origin country :
IT IT
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted component(s) such as package(s) and OLE files
Link:
https://research.acce.ciphertechsolutions.com/results/14c51980-cb6a-4384-b84c-887f21332b5c/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
PMNT ADVICE_INV01202026.docx
Verdict:
Malicious activity
Analysis date:
2026-01-20 14:21:11 UTC
Tags:
doc-url exploit cve-2017-11882 cve-2017-0199 susp-powershell loader reverseloader rat remcos remote stealer payload
Link:
https://app.any.run/tasks/dab3d344-2564-4a0f-aca5-5b86a1e59895

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Shelter.Malware.BadRtf.ObjUpd.UNOFFICIAL
Create hunting rule

TwinWave.EvilRTF.ObfusRunAway.20240409.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6982d56c6b1af47db72ca130
Tags:
office virus micro
Result
Verdict:
Malicious
File Type:
RTF File
Link:
https://app.docguard.net/5c70a7edff808a2fc109f26ebffc728cb39a3b28eb492417302167292f83dc44/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CVE-2017-11882 embedequation exploit shellcode
Link:
https://www.filescan.io/uploads/6982d569981ff1d38a478859/reports/cfbdb8ad-f0fc-4e35-a16b-fea5e78ce201/overview
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/5c70a7edff808a2fc109f26ebffc728cb39a3b28eb492417302167292f83dc44
Result
Gathering data
Verdict:
Malicious
File Type:
rtf
First seen:
2026-01-22T21:44:00Z UTC
Last seen:
2026-01-23T02:37:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/5c70a7edff808a2fc109f26ebffc728cb39a3b28eb492417302167292f83dc44/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5c70a7edff808a2fc109f26ebffc728cb39a3b28eb492417302167292f83dc44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c70a7edff808a2fc109f26ebffc728cb39a3b28eb492417302167292f83dc44/
Verdict:
Malicious
Threat:
Exploit.MSOffice.CVE-2017-11882
Link:
https://tip.neiki.dev/file/5c70a7edff808a2fc109f26ebffc728cb39a3b28eb492417302167292f83dc44
Threat name:
Document-RTF.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2026-01-22 00:38:26 UTC
File Type:
Document
Extracted files:
4
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lrykp3p7qcfc7qij6jxl77dsrszzuozi5nesifzqeftssl4d3rca._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/260204-fwhrfacw7c/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c70a7edff808a2fc109f26ebffc728cb39a3b28eb492417302167292f83dc44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_INDICATOR_RTF_MalVer_Objects
Create hunting rule
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.
Reference:https://github.com/ditekshen/detection

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments