MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c83c14d0579081908ecdbb8c29c31d088f41de38d07155095a0703f3b1e451e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash: 7c83c14d0579081908ecdbb8c29c31d088f41de38d07155095a0703f3b1e451e
SHA3-384 hash: 86857a2a96570e7499aba64e89588b30c617dcb7c09712ac1f1e787c5bc24782c6cff4dd00a49eb670675715c6dbc21a
SHA1 hash: 1022cc751d014809f3cce03b48c32a04453d14be
MD5 hash: 6cf8e3575beb67a995678db19d2be351
humanhash: california-east-fourteen-alpha
File name:TransferenciaXdeXpago.xlam
Download: download sample
File size:749'487 bytes
First seen:2026-06-30 05:40:16 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:Fo5R22QhtiBlwB+nUmbu3IHP848bXz5QC58avRCgpCGQqQAOYKWhN/F4vw48FIcF:KknhtiB6B2bu3Ivx8bXiuMEVhN/uB5M
TLSH T151F4331E29B069C1F4D6607C9BA140D1320E5962B6B7A84718CF9F6C18FE691F37F2E4
TrID 61.2% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
31.5% (.ZIP) Open Packaging Conventions container (17500/1/4)
7.2% (.ZIP) ZIP compressed archive (4000/1)
Magika xlsx
Reporter lowmal3
Tags:CVE-2017-11882 xlsx

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
A1991810 bytesoLE10nATive
A20 bytesyFX1UYPMtHgVqXmjn2VGQnUg

Intelligence


File Origin
# of uploads :
1
# of downloads :
157
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_7c83c14d0579081908ecdbb8c29c31d088f41de38d07155095a0703f3b1e451e.zip
Verdict:
No threats detected
Analysis date:
2026-06-30 05:42:28 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/octet-stream
Has a screenshot:
False
Contains macros:
False
Verdict:
Malicious
Score:
92.5%
Tags:
office shell micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching a process
DNS request
Creating a file in the %AppData% directory
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Creating a file
Creating a process with a hidden window
Possible injection to a system process
Connection attempt by exploiting the app vulnerability
Forced shutdown of a system process
Sending a custom TCP request by exploiting the app vulnerability
Creating a process from a recently created file
Unauthorized injection to a system process
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CVE-2017-11882 downloader embedequation exploit formbook masquerade
Label:
Malicious
Suspicious Score:
9.8/10
Score Malicious:
99%
Score Benign:
1%
Verdict:
Malicious
File Type:
xlam
First seen:
2026-06-29T11:48:00Z UTC
Last seen:
2026-07-02T03:43:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.JS.SLoad.sb Trojan-Dropper.MSOffice.SDrop.sb Trojan-Downloader.Win32.Agent.sb Trojan.JS.SAgent.sb Trojan.PowerShell.Agent.sb HEUR:Trojan.Script.Generic HEUR:Exploit.MSOffice.Generic PDM:Trojan.Win32.Generic Trojan.Win32.Shelma.sb Trojan-Downloader.MSOffice.SLoad.sb HEUR:Trojan-Downloader.Script.Generic Exploit.MSOffice.CVE-2018-0802.b BSS:Exploit.Win32.Generic Trojan.MSOffice.Agent.sb Exploit.MSOffice.CVE-2017-11882.sb
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Office Document
Threat name:
Document-Office.Exploit.CVE-2017-11882
Status:
Malicious
First seen:
2026-06-29 15:11:08 UTC
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
persistence ransomware
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Malware family:
AgentTesla
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:telebot_framework
Author:vietdx.mb
Rule name:Warp
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Author:Seth Hardy
Description:Warp Identifying Strings

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Excel file xlsx 7c83c14d0579081908ecdbb8c29c31d088f41de38d07155095a0703f3b1e451e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments