MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73ea6dbfa84a657337aa336646049f83ca33f4429cca1251901f695eefbceb7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash: 73ea6dbfa84a657337aa336646049f83ca33f4429cca1251901f695eefbceb7d
SHA3-384 hash: 6dc27c29531bd9cbfa615e3967073f54a8e604de77230d2c92ef47fc0a43613c5257f43430c092f9ed8313ca8f75efd6
SHA1 hash: 8c0df2a1aa77ca87d5b658952ff49a85c55c2233
MD5 hash: 92b181c2c09bc076b8615f4e3327bf0c
humanhash: salami-music-harry-louisiana
File name:OrdenXdeXcompra.pdf.xlam
Download: download sample
File size:745'225 bytes
First seen:2026-06-30 05:50:47 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:/06QW+7axU3td7XwZTf0OeZdIdxFwIxPK4nOR4S3y9ei8kI3iVGBLLU:/9QWXxwtlgZTMOejIuEPKq/d9ei8J1V4
TLSH T1A3F423C1E1E50D338542CC17278C2FB2E65FB6B2A57387C256F2145FC234A6396D6A8E
TrID 61.2% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
31.5% (.ZIP) Open Packaging Conventions container (17500/1/4)
7.2% (.ZIP) ZIP compressed archive (4000/1)
Magika xlsx
Reporter lowmal3
Tags:CVE-2017-11882 xlsx

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
A11050393 bytesolE10NAtiVe
A20 byteshhktIVklCQEpiwn3Y9Et

Intelligence


File Origin
# of uploads :
1
# of downloads :
151
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_73ea6dbfa84a657337aa336646049f83ca33f4429cca1251901f695eefbceb7d.zip
Verdict:
No threats detected
Analysis date:
2026-06-30 05:52:22 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
text/xml
Has a screenshot:
False
Contains macros:
False
Verdict:
Malicious
Score:
94.9%
Tags:
shellcode office micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching a process
DNS request
Creating a file in the %AppData% directory
Creating a file
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Connection attempt by exploiting the app vulnerability
Sending a custom TCP request by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug CVE-2017-11882 downloader embedequation exploit formbook installer-heuristic masquerade packed reconnaissance shellcode
Label:
Malicious
Suspicious Score:
9.8/10
Score Malicious:
99%
Score Benign:
1%
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Office Document
Verdict:
Malicious
Threat:
Trojan.MSOffice.CVE-2017-11882
Threat name:
Document-Office.Exploit.CVE-2017-11882
Status:
Malicious
First seen:
2026-06-29 18:07:20 UTC
File Type:
Document
Extracted files:
14
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
persistence ransomware
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:telebot_framework
Author:vietdx.mb
Rule name:vmdetect
Author:nex
Description:Possibly employs anti-virtualization techniques

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Excel file xlsx 73ea6dbfa84a657337aa336646049f83ca33f4429cca1251901f695eefbceb7d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments