MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4ed041045a4c0eacd673fc5d85329cd4e082cdbed11a8ba87994b8ee2c9214d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments

SHA256 hash: c4ed041045a4c0eacd673fc5d85329cd4e082cdbed11a8ba87994b8ee2c9214d
SHA3-384 hash: 16afc4d87c92575a50ee7f185e1c2130f185174e1bbac21c090e9b4c639d6068ee3e3054c3c8b2dd27a29b7f96434110
SHA1 hash: b2e770604e3fb1f2499469e74ebdab20cd4fee40
MD5 hash: 37fa70a6e98dd9cfe8a6fc9501834bd9
humanhash: winner-enemy-hotel-nineteen
File name:SwiftXcopyXX807FTBR261590003X.xls
Download: download sample
File size:514'048 bytes
First seen:2026-07-03 17:55:21 UTC
Last seen:2026-07-03 17:56:59 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:h5E03Uj6WdMXMegxsEBUz9Id+qWay4nT:PE0WnK8xC9IkMT
TLSH T120B4F1A0B5948F59DB464F76CB9B8AC00325BDB35F19A60B31827B0D5EF33823947C69
TrID 47.4% (.XLS) Microsoft Excel sheet (32500/1/3)
40.8% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3)
11.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter TomU
Tags:xls

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Application name is Microsoft Excel
File Format is MS Excel 97-2003
Container Format is OLE
Office document is in encrypted
OLE dump

MalwareBazaar was able to identify 11 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
499 bytesMBD001398D0/CompObj
523673 bytesMBD001398D0/Package
6866 bytesMBD001398D1/Ole
7114 bytesMBD002EB9A7/CompObj
8268 bytesMBD002EB9A7/DocumentSummaryInformation
9107192 bytesMBD002EB9A7/SummaryInformation
10123268 bytesMBD002EB9A7/Workbook
11249027 bytesWorkbook

Intelligence


File Origin
# of uploads :
2
# of downloads :
106
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SwiftXcopyXX807FTBR261590003X.xls
Verdict:
No threats detected
Analysis date:
2026-07-03 18:02:07 UTC
Tags:
doc-url qrcode

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Verdict:
Malicious
Score:
94.1%
Tags:
downloader virus remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending an HTTP GET request
Сreating synchronization primitives
Connection attempt by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File
Payload URLs
URL
File name
http://000015353126315/httpswww.gartner.comennewsroompress-releases2025-05-13-gartner-identifies-top-trends-shaping-the-future-of-cloud-o900.php
Embedded Ole
Behaviour
SuspiciousRTF detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
macros
Label:
Benign
Suspicious Score:
3/10
Score Malicious:
4%
Score Benign:
96%
Verdict:
Malicious
File Type:
xls
First seen:
2026-06-17T03:43:00Z UTC
Last seen:
2026-07-04T06:44:00Z UTC
Hits:
~10000
Detections:
HEUR:Trojan.HTA.SAgent.gen HEUR:Exploit.MSOffice.CVE-2017-0199.gen HEUR:Trojan-Downloader.MSOffice.Agent.gen Trojan-Downloader.Agent.HTTP.C&C HEUR:Trojan.Script.Generic HEUR:Trojan.OLE2.UrcBadur.genw Trojan.MSOffice.SAgent.sb PDM:Exploit.Win32.Generic HEUR:Trojan.OLE2.Badur.genw
Gathering data
Threat name:
Win32.Trojan.Leonem
Status:
Malicious
First seen:
2026-06-17 10:26:31 UTC
File Type:
Document
Extracted files:
31
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
persistence ransomware
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Excel file xls c4ed041045a4c0eacd673fc5d85329cd4e082cdbed11a8ba87994b8ee2c9214d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments