MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f224f150405471b450aee9340cbb861df3563eefd60db1028d88fbc5ddc3a76f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 13


Maldoc score: 4


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f224f150405471b450aee9340cbb861df3563eefd60db1028d88fbc5ddc3a76f
SHA3-384 hash: 68bd182807cb40fb0eb7deb819ceb99d90433efccfca535e0edf1db5a55f72f7dacd587f13898120610a15a7aec21df2
SHA1 hash: cdd4d839b81dfe7902d94a1a0f2ff6eeff9efd2d
MD5 hash: 377484b3fb484068d3becc59a9a25b02
humanhash: oranges-avocado-burger-victor
File name:460.xls
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'617'920 bytes
First seen:2025-04-10 16:08:25 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 49152:t1Wn6wlVarSI9CqX7b/+kNwGe/zFdVj8GrNdor:t1Wn6AVa+Il6GCFdq6d
TLSH T1AD75232854A24F06D7EF15BA8ED1E6760126BC643A1CF9F7F248F36AB930A505BC354C
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter abuse_ch
Tags:cve-2017-0199 xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 4
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
499 bytesMBD0049B702/CompObj
5716656 bytesMBD0049B702/Package
6644 bytesMBD0049B703/Ole
7874362 bytesWorkbook
8527 bytes_VBA_PROJECT_CUR/PROJECT
9104 bytes_VBA_PROJECT_CUR/PROJECTwm
10977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
11977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
12977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
13985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
142644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
15553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
499
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
460.xls
Verdict:
No threats detected
Analysis date:
2025-04-10 17:56:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/70027d7b-708d-4c6a-8396-28b7478baff3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1628/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f7f1141dba888a93cf598a
Tags:
macro micro w97m
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/f224f150405471b450aee9340cbb861df3563eefd60db1028d88fbc5ddc3a76f/results/dashboard
Payload URLs
URL
File name
https://greatmagicheregoingtohappenedsoonfornewlifebegentoyou@salsita.link/hotJGx
Embedded Ole
Behaviour
SuspiciousRTF detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
macros
Link:
https://www.filescan.io/uploads/67f7ed322d430c849e11d83f/reports/14961609-4815-4d1a-9532-06cdc37d5d82/overview
Verdict:
Malicious
Labled as:
CVE-2017-0199
Link:
https://www.hybrid-analysis.com/sample/f224f150405471b450aee9340cbb861df3563eefd60db1028d88fbc5ddc3a76f
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=36e4c283-37dd-4943-8134-4b6b4af51744
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f224f150405471b450aee9340cbb861df3563eefd60db1028d88fbc5ddc3a76f
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1662151
Signature
Excel sheet contains many unusual embedded objects
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/f224f150405471b450aee9340cbb861df3563eefd60db1028d88fbc5ddc3a76f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f224f150405471b450aee9340cbb861df3563eefd60db1028d88fbc5ddc3a76f/
Threat name:
Document-Office.Exploit.CVE-2017-0199
Create hunting rule
Status:
Malicious
First seen:
2025-04-09 10:41:26 UTC
File Type:
Document
Extracted files:
48
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ispcucakry3iufo5e2azo4gdxzvmpxp2yg3caunrd54lxodu5xq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250410-tly8bswyax/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/feac13e2-d63d-494f-a7be-2693adf728b0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f224f150405471b450aee9340cbb861df3563eefd60db1028d88fbc5ddc3a76f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:XLS_STRINGS
Create hunting rule
Author:somedieyoungZZ
Description:Detect Strings targeting Bangladesh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

MassLogger

Excel file xls f224f150405471b450aee9340cbb861df3563eefd60db1028d88fbc5ddc3a76f

(this sample)

MassLogger

Executable exe f919ad3a0b960e8665024b04de0d5e9b9b8bcfd50276cb6ad03ac3a5ff8f1a48

Cape
Cape
https://www.capesandbox.com/analysis/1628/
  
Dropping
SHA256 f919ad3a0b960e8665024b04de0d5e9b9b8bcfd50276cb6ad03ac3a5ff8f1a48
  
Dropping
MD5 beda5984a652d9931902980a4d7c258b
  
Dropping
SHA256 e6b4e22e1a1c4aa15082a4ccbee8fd9f428e70457f7c661ef4f1ef65e7771b95
  
Dropping
MD5 73a21ea2d5075f0897296ea2d19f83ad

Comments