MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 803f85ff16679b78ef373bc5ad30723c82c2902f1958a53ec5cffafeee4d4b2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 803f85ff16679b78ef373bc5ad30723c82c2902f1958a53ec5cffafeee4d4b2e
SHA3-384 hash: d722b4c393fc15591dbf1c4bc31b919fa2930487164cadd3a7ff05860eeb8d945b96d7e4f104f93938ab6cd6335a1a77
SHA1 hash: a798c542e13d102dd9239edefcaf252ec215549d
MD5 hash: cbebffafb219ec717f3cdf76082aec91
humanhash: grey-william-charlie-six
File name:PO#001498.xlsx
Download: download sample
Signature Formbook
Create hunting rule
File size:1'931'772 bytes
First seen:2025-04-10 09:55:13 UTC
Last seen:2025-04-10 16:06:16 UTC
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 49152:zEvb0yKK9xjcyxaFoQeDf/FbLLmu/q93ABrKNAbIunb3fMfm1Yg:INbxYyWtUfdbvmu/UW/bfMfmH
TLSH T1E79533C70B78E1B8B54E4298F20978AFBE7025DB293FD06FADC9A535518B810FF49611
TrID 61.2% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
31.5% (.ZIP) Open Packaging Conventions container (17500/1/4)
7.2% (.ZIP) ZIP compressed archive (4000/1)
Magika xlsx
Reporter lowmal3
Tags:CVE-2017-11882 FormBook xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
A12180136 bytesoLE10nAtIVE
A20 bytesMtYg34NNoePFXd96wl12o

Intelligence

File Origin
# of uploads :
2
# of downloads :
3'854
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO#001498.xlsx
Verdict:
No threats detected
Analysis date:
2025-04-10 10:13:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/52a6bbaa-6f44-4471-bba4-b8ffb1583b96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/octet-stream
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1564/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f79d251dba888a93ceddba
Tags:
office spawn micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching a process
DNS request
Sending an HTTP GET request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Connection attempt by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Link:
https://app.docguard.net/803f85ff16679b78ef373bc5ad30723c82c2902f1958a53ec5cffafeee4d4b2e/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embedequation exploit packed shellcode
Link:
https://www.filescan.io/uploads/67f795b8b070fb3f9461b1b8/reports/c1cf4e93-db72-461d-a4ac-6ac1a38d0702/overview
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/803f85ff16679b78ef373bc5ad30723c82c2902f1958a53ec5cffafeee4d4b2e
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=691d365d-ed5b-413e-829a-00b58d013508
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/803f85ff16679b78ef373bc5ad30723c82c2902f1958a53ec5cffafeee4d4b2e
Details
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1661721
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/803f85ff16679b78ef373bc5ad30723c82c2902f1958a53ec5cffafeee4d4b2e
Detection:
cve-2017-11882-shellcode
Create hunting rule
Link:
https://mwdb.cert.pl/sample/803f85ff16679b78ef373bc5ad30723c82c2902f1958a53ec5cffafeee4d4b2e/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2025-04-10 07:07:11 UTC
File Type:
Document
Extracted files:
16
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qa7yl7ywm6nxr3zxhpc22mdshsbmfebpdfmkkpwfz75p53snjmxa._file
Verdict:
malicious
Label(s):
captiveaaloader
Create hunting rule
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250410-lyd4xsxyhz/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Verdict:
Suspicious
Tags:
exploit
YARA:
INDICATOR_OLE_EXPLOIT_CVE_2017_11882_1
Link:
https://app.threat.zone/submission/a341211c-6936-4e01-806a-ec08dc2add68
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/803f85ff16679b78ef373bc5ad30723c82c2902f1958a53ec5cffafeee4d4b2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsx 803f85ff16679b78ef373bc5ad30723c82c2902f1958a53ec5cffafeee4d4b2e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/1564/

Comments