MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dde56ba22cb3c9b21398ff19a4e45c20113cfa064fa25819564ec3416b9640c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dde56ba22cb3c9b21398ff19a4e45c20113cfa064fa25819564ec3416b9640c6
SHA3-384 hash: 56eb1032b290a1a5167994c63dd56db1a15a5abf54d4a763d314d8d9266ef211af95941f0dbd8885b03ae50572f68700
SHA1 hash: 25bb5d9df1fe35b14793c64b46221caf6bfd76e2
MD5 hash: d7a6d5427c19c0caa44b1590b5b6e809
humanhash: beryllium-fruit-louisiana-triple
File name:Orden_de_compra_para_procesamiento.xls
Download: download sample
File size:1'179'648 bytes
First seen:2026-06-16 14:05:06 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:GDylH4wSo4A8EVZau7yLLw6OrB7uDylH4wSo4A8EVZau7yLLw6OrB7l/:l+wMEcIdB7N+wMEcIdB71
TLSH T195450CA2DEB7DE3ECB798F314AE68205A7745C52C331CB07A5853139BAD9E20BD450C9
TrID 32.3% (.MSP) Windows Installer Patch (44509/10/5)
23.6% (.XLS) Microsoft Excel sheet (32500/1/3)
20.3% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3)
17.8% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
5.8% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter abuse_ch
Tags:CVE-2017-11882 xls

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
Link:
https://research.acce.ciphertechsolutions.com/results/0b1d3f42-ddfd-44a2-8cfd-95d1b21920e6/
Malware family:
n/a
ID:
1
File name:
_dde56ba22cb3c9b21398ff19a4e45c20113cfa064fa25819564ec3416b9640c6.xls
Verdict:
No threats detected
Analysis date:
2026-06-16 14:08:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42064e5b-45e9-4647-a559-e5939e3d4d99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70983/
Detection(s):
Sanesecurity.Shelter.Malware.BadMacro.BadOleNatEquat.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQAndMisCasedOleNativeWasTheCaseThatTheyGaveMe.20200215.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3158571a97308eef89a06b
Tags:
vmdetect office micro macro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching a process
Launching a service
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/dde56ba22cb3c9b21398ff19a4e45c20113cfa064fa25819564ec3416b9640c6/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/dde56ba22cb3c9b21398ff19a4e45c20113cfa064fa25819564ec3416b9640c6
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=50f4d6c4-b83b-4ce2-8105-3556473f43b6
Verdict:
Malicious
File Type:
xls
First seen:
2026-06-16T11:15:00Z UTC
Last seen:
2026-06-17T12:41:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.Agent.HTTP.C&C HEUR:Trojan.Script.Generic Trojan.Win32.Shelma.sb Trojan-Downloader.MSOffice.SLoad.sb HEUR:Exploit.MSOffice.Generic Exploit.MSOffice.CVE-2017-11882.sb
Link:
https://opentip.kaspersky.com/dde56ba22cb3c9b21398ff19a4e45c20113cfa064fa25819564ec3416b9640c6/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/dde56ba22cb3c9b21398ff19a4e45c20113cfa064fa25819564ec3416b9640c6
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dde56ba22cb3c9b21398ff19a4e45c20113cfa064fa25819564ec3416b9640c6/
Verdict:
Malicious
Threat:
Trojan.MSOffice.CVE-2017-11882
Link:
https://tip.neiki.dev/file/dde56ba22cb3c9b21398ff19a4e45c20113cfa064fa25819564ec3416b9640c6
Threat name:
Win32.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2026-06-16 14:05:59 UTC
File Type:
Document
Extracted files:
41
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xswxirmwpe3ee4y74m2jzc4eaitz6qgj6rfqgkwj3buc24widda._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/260616-rd9b8ab17n/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dde56ba22cb3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/dde56ba22cb3c9b21398ff19a4e45c20113cfa064fa25819564ec3416b9640c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:XLS_STRINGS
Create hunting rule
Author:somedieyoungZZ
Description:Detect Strings targeting Bangladesh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70983/

Comments