MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82cec82230bedc61c4206eb6fe7aa9ed9b3173468b591b77a0a0cfd998869a9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82cec82230bedc61c4206eb6fe7aa9ed9b3173468b591b77a0a0cfd998869a9a
SHA3-384 hash: 985591f4f612bb605d391ab1698c46d40fcf2d544fa745edc0132c0a0e929eb2627c1fb07f943331d01fc597a1c56346
SHA1 hash: 4a007ce0f1f3d33d8ff44a1bc1da2689eaa66de3
MD5 hash: 7662b969e5de9a46224078963ec8286c
humanhash: muppet-yankee-carolina-arizona
File name:MOPEXHIS RFQ#2365980.xlsx
Download: download sample
Signature Formbook
Create hunting rule
File size:1'802'099 bytes
First seen:2025-10-21 13:16:22 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 49152:frA1mIOK1uzOm9rpoEgt2TZgQO2BDxkPVJ2oahxx8:fnIOK1uzO9mbO2BDqVlmxx8
TLSH T1B18533086AB2305DEA6026C9FD184283DDB1287C8C5C077B7537ECDBCB62739196BB52
TrID 61.2% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
31.5% (.ZIP) Open Packaging Conventions container (17500/1/4)
7.2% (.ZIP) ZIP compressed archive (4000/1)
Magika xlsx
Reporter lowmal3
Tags:CVE-2017-11882 FormBook xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
A12110455 bytesOLE10NaTivE
A20 bytesskME9iIF

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MOPEXHIS RFQ#2365980.xlsx
Verdict:
No threats detected
Analysis date:
2025-10-21 13:17:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3b8d290e-e584-46d7-9e44-f7ed5ec8d040

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/octet-stream
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33630/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f787db3edd081eba405959
Tags:
office micro sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching a process
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a file
Connection attempt by exploiting the app vulnerability
Launching a file downloaded from the Internet
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Link:
https://app.docguard.net/82cec82230bedc61c4206eb6fe7aa9ed9b3173468b591b77a0a0cfd998869a9a/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 bitmap embedequation exploit lolbin msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks shellcode stego vbc zero
Link:
https://www.filescan.io/uploads/68f787cdc85c5c5697308fe7/reports/59da8990-110c-4ef1-a97e-eb16b946cefc/overview
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/82cec82230bedc61c4206eb6fe7aa9ed9b3173468b591b77a0a0cfd998869a9a
Label:
Malicious
Suspicious Score:
9.8/10
Score Malicious:
99%
Score Benign:
1%
Link:
https://www.malware.ai/gui/files/?id=f976d668-44da-4803-9f94-069357e90366
Verdict:
Malicious
File Type:
xlsx
First seen:
2025-10-21T03:29:00Z UTC
Last seen:
2025-10-23T10:40:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Crypt.sb Exploit.MSOffice.CVE-2018-0802.b Exploit.MSOffice.CVE-2017-11882.sb Backdoor.Agent.HTTP.C&C Trojan-Downloader.MSOffice.SLoad.sb Trojan.Win32.Shelma.sb Trojan.MSIL.Taskun.sb Trojan.Agentb.UDP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen HEUR:Exploit.MSOffice.Generic Trojan-Spy.Win32.Noon.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/82cec82230bedc61c4206eb6fe7aa9ed9b3173468b591b77a0a0cfd998869a9a/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1799126
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/82cec82230bedc61c4206eb6fe7aa9ed9b3173468b591b77a0a0cfd998869a9a
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Office Document
Link:
https://app.malva.re/file/7662b969e5de9a46224078963ec8286c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82cec82230bedc61c4206eb6fe7aa9ed9b3173468b591b77a0a0cfd998869a9a/
Verdict:
Malicious
Threat:
Trojan.Win32.CVE-2017-11882
Link:
https://tip.neiki.dev/file/82cec82230bedc61c4206eb6fe7aa9ed9b3173468b591b77a0a0cfd998869a9a
Threat name:
Win32.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2025-10-21 08:47:37 UTC
File Type:
Document
Extracted files:
16
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qlhmqirqx3ogdrban23p46vj5wntc42grnmrw55audh5tgegtkna._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  1/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/251021-qjcd1axnht/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82cec82230be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82cec82230bedc61c4206eb6fe7aa9ed9b3173468b591b77a0a0cfd998869a9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsx 82cec82230bedc61c4206eb6fe7aa9ed9b3173468b591b77a0a0cfd998869a9a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33630/

Comments