MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8
SHA3-384 hash: 49bfa3eb1d99bf623fee1bdda4cf4f187a20fd25891cbfadd94512480bfd1eb45620184f367f09ea2fe816ce0536ab68
SHA1 hash: becc805bfef5793167787beb23f54d8139f4fb64
MD5 hash: cb2e069e1a755acb1cf27ed78e029c3f
humanhash: sink-mike-sad-november
File name:Invoice.xlam
Download: download sample
Signature DarkCloud
Create hunting rule
File size:3'566'648 bytes
First seen:2026-02-03 15:43:45 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 49152:kkBWscrzrUhMf2FVLdNXQg0dIAp2VNv6Yr0G6ioFiMBpdY2NXLeAB3y1wzhtgKNH:kkB16PG6nkM9Y2BeANKQVNRo+yW+EZ
TLSH T1C1F502C4C8432870AB3D5811CA6F962D201F70B356266E286E59B2F87D9D4F7CDA52FC
TrID 61.2% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
31.5% (.ZIP) Open Packaging Conventions container (17500/1/4)
7.2% (.ZIP) ZIP compressed archive (4000/1)
Magika xlsx
Reporter lowmal3
Tags:CVE-2017-11882 DarkCloud xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
A12961323 byteseQUAtion nATIVE
A20 bytestAB5BKlJooS3KHJzIKa7GcM3xIK

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted OLE packages, if they are present within the input OOXML document
Link:
https://research.acce.ciphertechsolutions.com/results/207b3df4-1c91-43c6-8091-2779031c368e/
Malware family:
n/a
ID:
1
File name:
Invoice.xlam
Verdict:
No threats detected
Analysis date:
2026-02-03 15:44:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a68bb065-d31b-4a7d-991e-061e15c3420e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
text/xml
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51511/
Detection(s):
TwinWave.EvilDoc.OkayLureDefenderXL.20220418.UNOFFICIAL
Create hunting rule

Sanesecurity.Shelter.Malware.BadMacro.BadEquNat.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQEditorMixerMeantToLast.20200413.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698217e1183032faf3eef7e5
Tags:
office shell micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Launching a process
Sending an HTTP GET request to an infection source by exploiting the app vulnerability
Creating a file in the %AppData% directory
Creating a process with a hidden window
Connection attempt to an infection source by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Link:
https://app.docguard.net/65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm embedequation evasive exploit masquerade obfuscated shellcode
Link:
https://www.filescan.io/uploads/698217e12ffccda097670308/reports/3454bef0-6c50-4ce1-aceb-6ff0c2c065c2/overview
Verdict:
Malicious
Labled as:
CVE-2018-0798
Link:
https://www.hybrid-analysis.com/sample/65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8
Label:
Malicious
Suspicious Score:
9.4/10
Score Malicious:
95%
Score Benign:
5%
Link:
https://www.malware.ai/gui/files/?id=06a566e5-c219-471c-89ec-b0e98626d1d6
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8
Verdict:
Malicious
File Type:
xlam
First seen:
2026-02-03T07:58:00Z UTC
Last seen:
2026-02-04T01:53:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Script.Generic Exploit.MSOffice.CVE-2018-0802.b Trojan.Win32.InjectorNetT.s HEUR:Trojan.Script.Generic HEUR:Exploit.MSOffice.CVE-2018-0802.gen Trojan.JS.SAgent.sb Trojan.MSOffice.Agent.sb Trojan-Downloader.JS.SLoad.sb Trojan-Downloader.Win32.Agent.sb Trojan-Downloader.MSOffice.SLoad.sb Trojan.Win32.Shelma.sb HEUR:Exploit.MSOffice.CVE-2017-11882.i Trojan-Downloader.Agent.HTTP.C&C PDM:Trojan.Win32.Generic Trojan-Dropper.MSOffice.SDrop.sb HackTool.ReconScan.TCP.ServerRequest Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.DarkCloud.sb
Link:
https://opentip.kaspersky.com/65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1862553
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8/
Verdict:
Malicious
Threat:
Trojan.MSOffice.SLoad
Link:
https://tip.neiki.dev/file/65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 12:55:19 UTC
File Type:
Document
Extracted files:
19
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxxc56ahhtihds5htnfs7jzksszjckvwsi3a5k7tfzxe5hrbmw4a._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/260203-s6rhjsgx6e/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65ee2ef8073c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Excel file xlsx 65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51511/

Comments