MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702
SHA3-384 hash: acd278f8b4bd5d54c6927863d748c0e6e0a9d951245ef3bc5f4aef5da88259251076680595f557a2b6729d597c9ee494
SHA1 hash: a921e8fa2859ba7634bd3b83fa1bd19d369ac02f
MD5 hash: 12dde55730418ad2f4a21b60a460477f
humanhash: pip-ohio-carpet-hawaii
File name:QUOTATION#PH00252100.xlam
Download: download sample
File size:3'424'911 bytes
First seen:2026-03-16 17:26:53 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 49152:5u3G3f/ne6y/+J5ru5wn9eKXzYdUd/o9IWOr0FzTipVDZal5HJFwyAxT:5u304geKjYo6ko+/D4PHJFwT
TLSH T1BAF501C4C8432970AB3D6851CB5FDA2D201FB4B322261A2D6D6572E8BD5C4F7CDA52BC
TrID 61.2% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
31.5% (.ZIP) Open Packaging Conventions container (17500/1/4)
7.2% (.ZIP) ZIP compressed archive (4000/1)
Magika xlsx
Reporter lowmal3
Tags:CVE-2017-11882 xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
A10 bytesJaACunofY0y37QblPUyLxL6y
A22896042 byteseQUATIoN NaTIVE

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted OLE packages, if they are present within the input OOXML document
Link:
https://research.acce.ciphertechsolutions.com/results/b9e1e0a4-836a-4c42-af5b-e26a14ea2f84/
Malware family:
n/a
ID:
1
File name:
QUOTATION#PH00252100.xlam
Verdict:
No threats detected
Analysis date:
2026-03-16 17:30:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f799cd04-3f0a-4f73-8886-0837e7f251cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
text/xml
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57660/
Detection(s):
TwinWave.EvilDoc.OkayLureDefenderXL.20220418.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b83d7588c80c01586adabc
Tags:
office virus shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Launching a process
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a file
Possible injection to a system process
Connection attempt by exploiting the app vulnerability
Forced shutdown of a system process
Unauthorized injection to a system process
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Link:
https://app.docguard.net/d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
CVE-2018-0798
Link:
https://www.hybrid-analysis.com/sample/d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702
Label:
Malicious
Suspicious Score:
9.4/10
Score Malicious:
95%
Score Benign:
5%
Link:
https://www.malware.ai/gui/files/?id=0883d94f-2d69-4bfb-8416-a73b4d907d75
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702
Verdict:
Malicious
File Type:
xlam
Detections:
Exploit.MSOffice.CVE-2018-0802.b Trojan-Dropper.MSOffice.SDrop.sb Trojan-Downloader.MSOffice.SLoad.sb Trojan.Win32.Shelma.sb Trojan.MSOffice.Agent.sb HEUR:Trojan.Script.Generic HEUR:Exploit.MSOffice.CVE-2018-0802.gen Trojan.JS.SAgent.sb Trojan-Downloader.Win32.Agent.sb Trojan.PowerShell.Cobalt.sb Trojan.MSOffice.SAgent.sb HEUR:Worm.Script.Generic HEUR:Trojan-Downloader.Script.Generic HEUR:Exploit.MSOffice.CVE-2017-11882.i
Link:
https://opentip.kaspersky.com/d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1884433
Signature
AI detected malicious page (phishing or scam)
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Office Document
Link:
https://app.malva.re/file/12dde55730418ad2f4a21b60a460477f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2026-03-16 17:27:23 UTC
File Type:
Document
Extracted files:
19
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2chau2sbuu7ew7evkanfv4onm6ibh7jusobuumsma7myqguo24ba._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/260316-v1jxmadt3l/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d08e0a6a41a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Excel file xlsx d08e0a6a41a53e4b7c95501a5af1cd679013fd3493834a324c07d9881a8ed702

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/57660/

Comments


Avatar
commented on 2026-03-16 20:48:55 UTC

Payload URL:
http://91.92.242.3:7777/noesisllc.online/fisherzxcc/fisherxx/tgckftbiqazqkklwtwtu7vhhnh6foxc.js