MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0
SHA3-384 hash: d5278bc38f2501e44dc38b9736124995f1287d9976f8efcaf04d2462522f3a09c71f7fb3750477ded65bbcb4b36cc73f
SHA1 hash: 07f7fd4ce6185f1df5a25796f97c79e57bb3018d
MD5 hash: 4cc4be9d19f04161f8fabe8d17cf5dab
humanhash: skylark-mike-hotel-artist
File name:RFQ#WA2617-3063_2026.04.docx
Download: download sample
File size:574'478 bytes
First seen:2026-05-28 06:27:36 UTC
Last seen:2026-05-28 06:29:23 UTC
File type:Word file docx
MIME type:application/octet-stream
ssdeep 12288:aktl/NXlQBkUK1DvgdEegWd8w1iOELN4zQC5Ip/F35+mc4tGJF:xx6k71D4qEL1i1L+p+o+Y
TLSH T18EC4F05DA97E58DA92630CA41FB14050529B280D57DC447F3A803EADEE09F2BBFCB139
TrID 52.2% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
38.8% (.ZIP) Open Packaging Conventions container (17500/1/4)
8.8% (.ZIP) ZIP compressed archive (4000/1)
Magika docx
Reporter lowmal3
Tags:docx

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted OLE packages, if they are present within the input OOXML document
Link:
https://research.acce.ciphertechsolutions.com/results/0f53e0ef-56e4-470d-bb32-049c936e0501/
Malware family:
n/a
ID:
1
File name:
_b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0.zip
Verdict:
No threats detected
Analysis date:
2026-05-28 06:29:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/331cbec5-2f24-4044-aff4-9083b0ee4b65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.wordprocessingml.document
Has a screenshot:
False
Contains macros:
False
Detection(s):
SecuriteInfo.com.Rtf.Obfus-3.UNOFFICIAL
Create hunting rule

Sanesecurity.Shelter.Malware.BadRtf.ObjUpd.UNOFFICIAL
Create hunting rule

MiscreantPunch.EXEInsideOfRTF.1.UNOFFICIAL
Create hunting rule

MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL
Create hunting rule

YARA.DITEKSHEN_INDICATOR_RTF_Malver_Objects.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PKillDOCXEmbeddedHexyEXEAxelF.20210920.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a17e08733dfa243d40a4c77
Tags:
extens shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Changing the Zone.Identifier stream
Searching for synchronization primitives
Launching a process
Creating a window
Creating a process with a hidden window
Loading a suspicious library
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending a custom TCP request
Running batch commands by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
OOXML Word File
Link:
https://app.docguard.net/b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CVE-2017-11882 exploit
Link:
https://www.filescan.io/uploads/6a17e085099ef368af0770c6/reports/ca934cca-fef9-4451-9a4e-06ab58333982/overview
Verdict:
Malicious
Labled as:
Msoffice/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0
Label:
Benign
Suspicious Score:
6/10
Score Malicious:
7%
Score Benign:
93%
Link:
https://www.malware.ai/gui/files/?id=c55da984-8744-4238-8f5d-ebc8f33c36f2
Verdict:
Malicious
File Type:
docx
First seen:
2026-05-25T20:28:00Z UTC
Last seen:
2026-05-28T03:04:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0/results?tab=lookup
Score:
91%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0/
Verdict:
Malicious
Threat:
Exploit.MSOffice.CVE-2017-11882
Link:
https://tip.neiki.dev/file/b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0
Threat name:
Document-RTF.Trojan.Ravartar
Create hunting rule
Status:
Malicious
First seen:
2026-05-26 13:10:44 UTC
File Type:
Document
Extracted files:
81
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w357rglsaqgjzypewd5hovweeb36oskj3siht6wpwkwfg6xmz3ia._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/260528-g8fnaagz6p/
Behaviour
Checks processor information in registry
Enumerates system info in registry
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b6fbf8997204/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_RTF_Embedded_OLE_PE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious string often used in PE files in a hex encoded object stream
Reference:https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/
Rule name:SUSP_INDICATOR_RTF_MalVer_Objects
Create hunting rule
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.
Reference:https://github.com/ditekshen/detection
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Word file docx b6fbf89972040c9ce1e4b0fa7756c42077e74949dc9079facfb2ac537aecced0

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments