MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd
SHA3-384 hash:	3589ee1fb2e39168a807c17e56da117682baba00bafe9ec18466a88254dc7546c5552522879b9abd74be034e277ba93f
SHA1 hash:	2cf757957c9557b088138a415ed0de000125ff9c
MD5 hash:	4a4d2a4fcfe40268e47b1a686bce13af
humanhash:	river-failed-jig-lamp
File name:	dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd.xls
Download:	download sample
File size:	1'458'688 bytes
First seen:	2026-02-04 05:16:10 UTC
Last seen:	2026-02-04 06:21:24 UTC
File type:	xls
MIME type:	application/vnd.ms-excel
ssdeep	24576:u1k3+nYgpl0TuveaRuPWN3bKtu08GKxebj9xvS0XFlHhj/8LiEfMpb88lTqqX:uSqT/0qveaRuIrKs52jCMlHhKM18L
TLSH	T1B965221ADF91EB6FC016AAF44AC3C1E1413D7D96B24B0A0F2B01376668371F6D99272D
TrID	34.9% (.XLS) Microsoft Excel sheet (32500/1/3) 30.1% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3) 26.3% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2) 8.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	xls
Reporter	JAMESWT_WT
Tags:	107-174-33-21 cve-2017-0199 xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section ID	Section size	Section name
1	114 bytes	CompObj
2	244 bytes	DocumentSummaryInformation
3	200 bytes	SummaryInformation
4	99 bytes	MBD005A69FF/CompObj
5	832329 bytes	MBD005A69FF/Package
6	498 bytes	MBD005A6A00/Ole
7	600494 bytes	Workbook
8	525 bytes	_VBA_PROJECT_CUR/PROJECT
9	104 bytes	_VBA_PROJECT_CUR/PROJECTwm
10	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet1
11	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet2
12	977 bytes	_VBA_PROJECT_CUR/VBA/Sheet3
13	985 bytes	_VBA_PROJECT_CUR/VBA/ThisWorkbook
14	2644 bytes	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
15	553 bytes	_VBA_PROJECT_CUR/VBA/dir

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO

Details

MSO

extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros

Link:

https://research.acce.ciphertechsolutions.com/results/9ff827eb-519c-48cd-bb82-5545c52ca106/

Malware family:

n/a

ID:

File name:

dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd.xls

Verdict:

No threats detected

Analysis date:

2026-02-04 05:19:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3123e85e-1e4f-4f0c-aa04-1eb2bc1f0904

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51610/

Detection(s):

SecuriteInfo.com.Other.Malware-gen.24537698.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6982d6319a60ec70d92ca10c

Tags:

msexcel virus macro

Result

Verdict:

Malicious

File Type:

Legacy Excel File with Macro

Link:

https://app.docguard.net/dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd/results/dashboard

Payload URLs

URL

File name

https://shct.io/u-TiWD

Embedded Ole

Behaviour

SuspiciousRTF detected

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cve-2017-0199 exploit macros

Link:

https://www.filescan.io/uploads/6982d62b981ff1d38a478949/reports/f778b75a-d284-4f43-a9a5-2473ec23a34a/overview

Verdict:

Malicious

Labled as:

CVE-2017-0199

Link:

https://www.hybrid-analysis.com/sample/dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd

Label:

Malicious

Suspicious Score:

10/10

Score Malicious:

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=fd36f64a-ee5c-4465-be40-80e2d1fbf12f

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd

Details

Excel Macro Manipulates Hidden Sheets

Detected macro logic designed to hide a sheet within the current, or another spreadsheet. This technique is not necessarily indicative of malicious behavior as hidden sheets have legitimate uses.

Verdict:

Malicious

File Type:

xls

First seen:

2026-01-15T08:51:00Z UTC

Last seen:

2026-02-04T05:13:00Z UTC

Hits:

~100

Detections:

Trojan-Downloader.Agent.HTTP.C&C PDM:Exploit.Win32.Generic HEUR:Exploit.MSOffice.CVE-2017-0199.gen HEUR:Trojan.MSOffice.Alien.gen

Link:

https://opentip.kaspersky.com/dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd

Verdict:

Malware

YARA:

6 match(es)

Tags:

Corrupted Office Document

Link:

https://app.malva.re/file/4a4d2a4fcfe40268e47b1a686bce13af

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd/

Verdict:

Malicious

Threat:

Trojan.MSOffice.Alien

Link:

https://tip.neiki.dev/file/dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd

Threat name:

Win32.Exploit.CVE-2017-0199

Status:

Malicious

First seen:

2026-01-19 04:07:57 UTC

File Type:

Document

Extracted files:

AV detection:

12 of 36 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3riedk2va7qg2cgpyasrn2vxfbvzrztjlfxsaabussq72e6vwh6q._file

Result

Malware family:

n/a

Score:

1/10

Tags:

persistence ransomware

Link:

https://tria.ge/reports/260204-fycm7scx4e/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.76

Link:

https://yomi.yoroi.company/submissions/dc5041ab5507e06d08cfc02516eab7286b98e669596f20003494a1fd13d5b1fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	informational_win_ole_protected Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Identify OLE Project protection within documents.

Rule name:	XLS_STRINGS Create hunting rule
Author:	somedieyoungZZ
Description:	Detect Strings targeting Bangladesh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51610/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample