MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820
SHA3-384 hash:	122c6e94546b461c06516c7429506b261a61b7de0b54ceaa3be3bcb180ef5585e492ec7f480f04ddb84fc19ce793fc09
SHA1 hash:	50eb79e516dc3fd1cbf20b7e3e1438c16232ec97
MD5 hash:	4ef203ea548ee7b066c4cec87436aac8
humanhash:	oxygen-florida-cold-lion
File name:	JSW_STEEL.xls
Download:	download sample
File size:	1'422'848 bytes
First seen:	2026-03-18 15:39:25 UTC
Last seen:	Never
File type:	xls
MIME type:	application/vnd.ms-excel
ssdeep	24576:jKvn/6YyOkz//sMRNYKjs1BBK+Riual2p8WnotDb5ENJ:e/QOO//L5yBguhhotaJ
TLSH	T19F652362FE40DB5CE40EC2B067C2CAA6362CFC317B54A5437E0DB35B7876AA4A543761
TrID	34.9% (.XLS) Microsoft Excel sheet (32500/1/3) 30.1% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3) 26.3% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2) 8.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	xls
Reporter	TomU
Tags:	cve-2017-0199 xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 19 sections in this file using oledump:

Section ID	Section size	Section name
1	114 bytes	CompObj
2	244 bytes	DocumentSummaryInformation
3	200 bytes	SummaryInformation
4	94 bytes	MBD00A0A269/CompObj
5	20 bytes	MBD00A0A269/Ole
6	102027 bytes	MBD00A0A269/CONTENTS
7	94 bytes	MBD00A0A26A/CompObj
8	20 bytes	MBD00A0A26A/Ole
9	525303 bytes	MBD00A0A26A/CONTENTS
10	534 bytes	MBD00A0A26B/Ole
11	768662 bytes	Workbook
12	525 bytes	_VBA_PROJECT_CUR/PROJECT
13	104 bytes	_VBA_PROJECT_CUR/PROJECTwm
14	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet1
15	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet2
16	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet3
17	985 bytes	_VBA_PROJECT_CUR/VBA/ThisWorkbook
18	2644 bytes	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
19	553 bytes	_VBA_PROJECT_CUR/VBA/dir

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO

Details

MSO

extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros

Link:

https://research.acce.ciphertechsolutions.com/results/8a9c0611-a185-4e90-b33b-879bb87f19ad/

Malware family:

n/a

ID:

File name:

JSW_STEEL.xls

Verdict:

No threats detected

Analysis date:

2026-03-18 15:41:18 UTC

Tags:

qrcode

Link:

https://app.any.run/tasks/ce07ff16-e269-4975-b7a9-a18383dc6a8e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/58004/

Detection(s):

SecuriteInfo.com.Exploit.CVE-2017-0199-3.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69bac76793b644ca466b56dc

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Connection attempt by exploiting the app vulnerability

Sending an HTTP GET request

Result

Verdict:

Malicious

File Type:

Legacy Excel File with Macro

Link:

https://app.docguard.net/c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820/results/dashboard

Payload URLs

URL

File name

http://000000000000000000000000000000015353103421/0000000000000000000000000010000000000000000000000.php

Embedded Ole

Behaviour

SuspiciousRTF detected

Document image

Image:

Download PNG

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cve-2017-0199 exploit macros

Link:

https://www.filescan.io/uploads/69bac764493cb7d62d04a101/reports/bdf36a74-7fa7-416f-955b-93d8fdcbd92a/overview

Verdict:

Malicious

Labled as:

CVE-2017-0199

Link:

https://www.hybrid-analysis.com/sample/c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820

Gathering data

Result

Verdict:

SUSPICIOUS

Link:

https://labs.inquest.net/dfi/sha256/c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820

Details

Document With Few Pages

Document contains between one and three pages of content. Most malicious documents are sparse in page count.

Verdict:

Malicious

File Type:

xls

Detections:

Trojan.Agent.HTTP.C&C HEUR:Trojan.OLE2.UrcBadur.genw HEUR:Exploit.MSOffice.CVE-2017-0199.a

Link:

https://opentip.kaspersky.com/c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820/

Verdict:

Malicious

Threat:

Exploit.MSOffice.CVE-2017-0199

Link:

https://tip.neiki.dev/file/c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820

Threat name:

Win32.Exploit.CVE-2017-0199

Status:

Suspicious

First seen:

2026-03-18 11:03:54 UTC

File Type:

Document

Extracted files:

AV detection:

11 of 37 (29.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y24oysbkh6i7id2cqg67vlqcnxtocsz7hug6ld6npqjwtja5faqa._file

Result

Malware family:

n/a

Score:

1/10

Tags:

persistence ransomware

Link:

https://tria.ge/reports/260318-s4cllsd18s/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.76

Link:

https://yomi.yoroi.company/submissions/c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_all_IPv6_variants Create hunting rule
Author:	Bierchermuesli
Description:	Generic IPv6 catcher

Rule name:	informational_win_ole_protected Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Identify OLE Project protection within documents.

Rule name:	XLS_STRINGS Create hunting rule
Author:	somedieyoungZZ
Description:	Detect Strings targeting Bangladesh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xls c6b8ec482a3f91f40f4281bdfaae026de6e14b3f3d0de58fcd7c1369a41d2820

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/58004/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample