MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious Link
The document contains a heuristic firing for 'SE_CLIPBOARD_COMMAND_LURE', indicating it instructs the user to copy and paste commands into a shell. The embedded PHP code, identified as 'r57shell', is a known web shell often used for remote administration and execution of arbitrary commands. Although VBA macros could not be extracted due to an unsupported format, the presence of the web shell code and the lure strongly suggest an attempt to gain remote access or execute further malicious payloads. The embedded URLs are likely related to the hosting or command-and-control infrastructure.
Heuristics 3
-
PHP webshell / backdoor source critical WEBSHELL_PHPThe file contains PHP server-side code with the signature of a webshell/backdoor (named PHP webshell banner (r57shell)). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://rst.void.ru In document text (OLE body)
- http://www.antichat.ruIn document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.