MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d52b8e527ad35f54de8e65b0d7c324a9c1afddcd0d09e4d20ea0cb7c8b327394. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	d52b8e527ad35f54de8e65b0d7c324a9c1afddcd0d09e4d20ea0cb7c8b327394
SHA3-384 hash:	832d74bf60b68537e74b382f369d424a5be38b4142d66e76482e37d618942673df54744feeb715326ed99be03f511fbb
SHA1 hash:	aea62b0466c64967303de73085f16f40018cd44e
MD5 hash:	9a809e0f1d435948eacdf1f0fb8b8316
humanhash:	magnesium-burger-four-five
File name:	PI-90349003421.xlsx
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	1'593'929 bytes
First seen:	2024-10-17 07:36:14 UTC
Last seen:	Never
File type:	xlsx
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	24576:uVuRVKY8KpiARLlSRqqCfboz6Ga73J1Tkiv9jnQIesN7Vsj5j8m4beb9I:DRYipb0Rq5f06G8PVv9jnMsNOVomFW
TLSH	T13775337E923E78ACF1D39FF1C30E6AA7470702403CEB6666B031642784B651649BBE65
TrID	61.2% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7) 31.5% (.ZIP) Open Packaging Conventions container (17500/1/4) 7.2% (.ZIP) ZIP compressed archive (4000/1)
Magika	xlsx
Reporter	lowmal3
Tags:	AgentTesla CVE-2017-11882 xlsx

Office OLE Information

---

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section ID	Section size	Section name
A1	1831604 bytes	OLE10nATIvE
A2	0 bytes	0aWSI0aTuO0isjcJ6KHC2tg

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

2'932

Origin country :

DE

Vendor Threat Intelligence

ANY.RUN

Malware family:

n/a

ID:

1

File name:

PI-90349003421.xlsx

Verdict:

No threats detected

Analysis date:

2024-10-17 07:40:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9db32b5d-6785-4526-a35d-25e8b09d2277

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CyberFortress Malicious

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6710bea11d4ef219fa63a5df

Tags:

Powershell Agenttesla

DocGuard Malicious

Result

Verdict:

Malicious

File Type:

OOXML Excel File with Embedding Objects

Link:

https://app.docguard.net/d52b8e527ad35f54de8e65b0d7c324a9c1afddcd0d09e4d20ea0cb7c8b327394/results/dashboard

Behaviour

BlacklistAPI detected

Document image

Image:

Download PNG

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

embedequation exploit language-ms shellcode

Link:

https://www.filescan.io/uploads/6710bea05c4ea75bc80ab1b6/reports/4225af4b-9178-4055-ab6a-01dfe4bfc8c9/overview

Hybrid Analysis CVE-2017-11882

Verdict:

Malicious

Labled as:

CVE-2017-11882

Link:

https://www.hybrid-analysis.com/sample/d52b8e527ad35f54de8e65b0d7c324a9c1afddcd0d09e4d20ea0cb7c8b327394

inlyse Malware.AI Malicious

Label:

Malicious

Suspicious Score:

9.8/10

Score Malicious:

99%

Score Benign:

1%

Link:

https://www.malware.ai/gui/files/?id=7c435d6e-9874-44c7-8b9b-fd8c34897cb1

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/d52b8e527ad35f54de8e65b0d7c324a9c1afddcd0d09e4d20ea0cb7c8b327394

Joe Sandbox malicious

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1535768

Signature

Antivirus / Scanner detection for submitted sample

Document contains OLE streams with names of living off the land binaries

Document exploit detected (process start blacklist hit)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Office equation editor establishes network connection

Shellcode detected

Sigma detected: Equation Editor Network Connection

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Benign

Score:

23%

Verdict:

Benign

File Type:

OFFICE

Link:

https://malprob.io/report/d52b8e527ad35f54de8e65b0d7c324a9c1afddcd0d09e4d20ea0cb7c8b327394

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d52b8e527ad35f54de8e65b0d7c324a9c1afddcd0d09e4d20ea0cb7c8b327394/

ReversingLabs TitaniumCloud Document-Office.Exploit.CVE-2017-11882

Threat name:

Document-Office.Exploit.CVE-2017-11882

Alert

Create hunting rule

Status:

Malicious

First seen:

2024-10-15 12:38:48 UTC

File Type:

Document

Extracted files:

19

AV detection:

18 of 24 (75.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2uvy4ut22npvjxuomwynpqzevha27xonbue6juqoudfxzczsooka._file

Threatray agenttesla_v4 unknown_loader_037 agenttesla

Verdict:

malicious

Label(s):

agenttesla_v4

Alert

Create hunting rule

unknown_loader_037

Alert

Create hunting rule

agenttesla

Alert

Create hunting rule

Similar samples:

error

AgentTesla

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla collection discovery execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/241017-jfs41sxgpc/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Launches Equation Editor

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

AgentTesla

Threat.Zone Suspicious

Verdict:

Suspicious

Tags:

exploit

YARA:

INDICATOR_OLE_EXPLOIT_CVE_2017_11882_1

Link:

https://app.threat.zone/submission/7f06d7c8-9415-476a-9525-f53c59c229bc

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d52b8e527ad35f54de8e65b0d7c324a9c1afddcd0d09e4d20ea0cb7c8b327394

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

xlsx d52b8e527ad35f54de8e65b0d7c324a9c1afddcd0d09e4d20ea0cb7c8b327394

(this sample)

  

Delivery method

Distributed via e-mail attachment

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

Report a False Positive

×

Email:

If you provide your email address, we can give you feedback on your false positive report

Comment: Please describe why you think this file is a false positive

Note

False positives reports are handled by the Spamhaus Project. In case you provide your email address, someone from the Spamhaus Project may reach out to you to give you feedback on your false positive report.

Close Submit

Delete sample

×

You are about to delete this sample from MalwareBazaar. Do you want to continue?

Removal comment: Please quickly comment why you delete this file from MalwareBazaar

Cancel Delete

Add tag

×

Tag:

If you would like to add multiple tags at once, separate them by a comma - e.g. Emotet,exe,REvil

Close Add

Set Signature

×

Signature:

Close Set

Set File Type

×

File Type:

Close Set

Remove tag

×

Tag:

If you would like to add multiple tags at once, separate them by a comma - e.g. Emotet,exe,REvil

Close Remove