MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e
SHA3-384 hash:	664f3768b817f6d3357c4c284aa0d9a4f81272038502e9d7791280f8414b2ce23f33b8557769bbfa1cf723653986e22c
SHA1 hash:	cb22695d92994cd2cdee3aadd8304262f18495ea
MD5 hash:	b572151155cdb30aa3c5096071720dbf
humanhash:	kentucky-batman-kilo-autumn
File name:	GSTR 9C_Offline_Utility (2)_23-24.xlsm
Download:	download sample
File size:	592'065 bytes
First seen:	2025-12-23 17:16:48 UTC
Last seen:	Never
File type:	xlsm
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	12288:zu/ue0pjbVj+nKDiEQeDhmgpWwXU6uAh0Uso0jqKC:+u/pSnBngpWD6uLUJ0jRC
TLSH	T125C41219C627721ED91FD039F3A447E26446B72AD083E1AE6D50B84C33272E767CE64D
TrID	42.4% (.XLAM) Excel Macro-enabled Open XML add-in (83500/1/13) 29.2% (.XLSM) Excel Microsoft Office Open XML Format document (with Macro) (57500/1/12) 17.3% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7) 8.9% (.ZIP) Open Packaging Conventions container (17500/1/4) 2.0% (.ZIP) ZIP compressed archive (4000/1)
Magika	xlsx
Reporter	abuse_ch
Tags:	xlsm

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

Embedded Images

MalwareBazaar found the following images embedded in this file:

MD5 hash	dc.creator	# of relations
5ec83a77eea5da94755196cfdb0da629	Richi Jain	2
6408eb11c54334b9fd393ec7ebf2d498	Richi Jain	2

OLE dump

MalwareBazaar was able to identify 107 sections in this file using oledump:

Section ID	Section size	Section name
A1	2483 bytes	PROJECT
A2	1115 bytes	PROJECTwm
A3	44015 bytes	VBA/CSHA256
A4	23464 bytes	VBA/Common_Module
A5	105935 bytes	VBA/Export_JSON_Module
A6	3252 bytes	VBA/FileUtil
A7	27829 bytes	VBA/Hashing_JSON
A8	72934 bytes	VBA/Import_Error_JSON
A9	57926 bytes	VBA/Import_JSON_Module
A10	63822 bytes	VBA/JsonConverter
A11	26489 bytes	VBA/Module1
A12	31026 bytes	VBA/PDF_Module
A13	1150 bytes	VBA/Sheet1
A14	3448 bytes	VBA/Sheet10
A15	1151 bytes	VBA/Sheet11
A16	4598 bytes	VBA/Sheet12
A17	1151 bytes	VBA/Sheet13
A18	1151 bytes	VBA/Sheet14
A19	1151 bytes	VBA/Sheet15
A20	2046 bytes	VBA/Sheet16
A21	1002 bytes	VBA/Sheet17
A22	1151 bytes	VBA/Sheet18
A23	2982 bytes	VBA/Sheet2
A24	1151 bytes	VBA/Sheet21
A25	1016 bytes	VBA/Sheet23
A26	1016 bytes	VBA/Sheet25
A27	1214 bytes	VBA/Sheet3
A28	1150 bytes	VBA/Sheet4
A29	1895 bytes	VBA/Sheet5
A30	1150 bytes	VBA/Sheet6
A31	10253 bytes	VBA/Sheet7
A32	1150 bytes	VBA/Sheet8
A33	1150 bytes	VBA/Sheet9
A34	15465 bytes	VBA/Signing_Module
A35	5043 bytes	VBA/ThisWorkbook
A36	62735 bytes	VBA/ValidateMod
A37	60335 bytes	VBA/Validate_Functions
A38	22713 bytes	VBA/Variable_Initialize
A39	23200 bytes	VBA/_VBA_PROJECT
A40	14594 bytes	VBA/__SRP_0
A41	1416 bytes	VBA/__SRP_1
A42	1190 bytes	VBA/__SRP_10
A43	939 bytes	VBA/__SRP_11
A44	1912 bytes	VBA/__SRP_12
A45	103 bytes	VBA/__SRP_13
A46	1654 bytes	VBA/__SRP_14
A47	456 bytes	VBA/__SRP_15
A48	2450 bytes	VBA/__SRP_16
A49	454 bytes	VBA/__SRP_17
A50	228 bytes	VBA/__SRP_18
A51	66 bytes	VBA/__SRP_19
A52	312 bytes	VBA/__SRP_1a
A53	120 bytes	VBA/__SRP_1b
A54	228 bytes	VBA/__SRP_1c
A55	66 bytes	VBA/__SRP_1d
A56	228 bytes	VBA/__SRP_1e
A57	66 bytes	VBA/__SRP_1f
A58	1504 bytes	VBA/__SRP_2
A59	228 bytes	VBA/__SRP_20
A60	66 bytes	VBA/__SRP_21
A61	228 bytes	VBA/__SRP_22
A62	66 bytes	VBA/__SRP_23
A63	228 bytes	VBA/__SRP_24
A64	66 bytes	VBA/__SRP_25
A65	228 bytes	VBA/__SRP_26
A66	66 bytes	VBA/__SRP_27
A67	228 bytes	VBA/__SRP_28
A68	66 bytes	VBA/__SRP_29
A69	228 bytes	VBA/__SRP_2a
A70	66 bytes	VBA/__SRP_2b
A71	228 bytes	VBA/__SRP_2c
A72	66 bytes	VBA/__SRP_2d
A73	812 bytes	VBA/__SRP_2e
A74	120 bytes	VBA/__SRP_2f
A75	1268 bytes	VBA/__SRP_3
A76	228 bytes	VBA/__SRP_30
A77	66 bytes	VBA/__SRP_31
A78	228 bytes	VBA/__SRP_32
A79	66 bytes	VBA/__SRP_33
A80	228 bytes	VBA/__SRP_34
A81	66 bytes	VBA/__SRP_35
A82	312 bytes	VBA/__SRP_36
A83	120 bytes	VBA/__SRP_37
A84	228 bytes	VBA/__SRP_38
A85	66 bytes	VBA/__SRP_39
A86	228 bytes	VBA/__SRP_3a
A87	66 bytes	VBA/__SRP_3b
A88	94 bytes	VBA/__SRP_3c
A89	149 bytes	VBA/__SRP_3d
A90	94 bytes	VBA/__SRP_3e
A91	158 bytes	VBA/__SRP_3f
A92	306 bytes	VBA/__SRP_4
A93	254 bytes	VBA/__SRP_40
A94	939 bytes	VBA/__SRP_41
A95	1497 bytes	VBA/__SRP_5
A96	112 bytes	VBA/__SRP_6
A97	371 bytes	VBA/__SRP_7
A98	818 bytes	VBA/__SRP_8
A99	645 bytes	VBA/__SRP_9
A100	942 bytes	VBA/__SRP_a
A101	737 bytes	VBA/__SRP_b
A102	942 bytes	VBA/__SRP_c
A103	737 bytes	VBA/__SRP_d
A104	198 bytes	VBA/__SRP_e
A105	140 bytes	VBA/__SRP_f
A106	2208 bytes	VBA/dir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/80eda94c-0fac-465a-ab8d-9a61a58299dc/

Malware family:

n/a

ID:

File name:

_8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e.zip

Verdict:

No threats detected

Analysis date:

2025-12-23 17:18:19 UTC

Tags:

macros macros-on-open

Link:

https://app.any.run/tasks/d2918490-6a87-48ea-83ea-f5820d0d860f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

File type:

application/octet-stream

Has a screenshot:

False

Contains macros:

False

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45904/

Detection(s):

TwinWave.EvilDoc.ScriptYouthGoneWild.20210322.UNOFFICIAL

Verdict:

Suspicious

Score:

50%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694aceb4038f10550b552384

Tags:

office macro micro

Result

Verdict:

Malicious

File Type:

Excel File with Macro

Link:

https://app.docguard.net/8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e/results/dashboard

Behaviour

BlacklistAPI detected

Document image

Image:

Download PNG

Verdict:

Malicious

Labled as:

Msoffice/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e

Label:

Benign

Suspicious Score:

/10

Score Malicious:

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=4b447920-91a9-4f09-b431-33478e715c24

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e

Details

Macro with Startup Hook

Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.

Macro with File System Write

Detected macro logic that can write data to the file system.

Macro with File System Read

Detected macro logic that can read data from the file system.

Excel Macro Manipulates Hidden Sheets

Detected macro logic designed to hide a sheet within the current, or another spreadsheet. This technique is not necessarily indicative of malicious behavior as hidden sheets have legitimate uses.

Base64 Encoded URL

Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.

Macro with DLL Reference

Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).

Verdict:

Clean

File Type:

xlsm

First seen:

2025-12-22T13:15:00Z UTC

Last seen:

2025-12-22T13:23:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

phis.expl.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1838328

Signature

AI detected landing page (webpage, office document or email)

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with hexadecimal encoded strings

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e

Verdict:

Malware

YARA:

3 match(es)

Tags:

ATT&CK T1564.007 Blacklist VBA DeObfuscated Malicious Malicious Document Moderately Suspicious Document Obfuscated Office Document Remote Template Injection Scripting.FileSystemObject T1059.005 T1221 VBA Stomping VBScript VBScript.RegExp

Link:

https://app.malva.re/file/b572151155cdb30aa3c5096071720dbf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e

Threat name:

Document.Trojan.Heuristic

Status:

Malicious

First seen:

2025-12-23 17:17:35 UTC

File Type:

Document

Extracted files:

278

AV detection:

3 of 24 (12.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r32pslxp6ycmbw6rexhtla2qcqoz4pa66qahou3fwibmlwk3siha._file

Result

Malware family:

n/a

Score:

8/10

Tags:

macro

Link:

https://tria.ge/reports/251225-nya4dawjh1/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45904/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample