MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14213c013d79ea4bc8309f730e26d52ff23c10654197b8d2d10c82bbbcd88382. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lazarus


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14213c013d79ea4bc8309f730e26d52ff23c10654197b8d2d10c82bbbcd88382
SHA3-384 hash: 3861aaa99bfdbf65c50b30420dde3170f2a353faebf80da2ba19d00fcc40237966235b7992abf7fa5a0ab901b26d6363
SHA1 hash: a0e0a94417e9c594c5c68a6c815160c8b6a980ae
MD5 hash: e4541d91fca9df943b6e119dc1c6cd7f
humanhash: victor-single-april-maine
File name:1LjZuMG417jNuMy4hbiPuIi4iriIuA.zip
Download: download sample
Signature Lazarus
Create hunting rule
File size:330'839 bytes
First seen:2025-06-19 07:48:13 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 6144:ESSOigrSYNfAAb/ITfeg9NZZNsOBlE42WKg5acUapBdRmABpB+Kr:ESSSrS0fAheWgXgVFhXr
TLSH T1F66412495FE1140CCE9A823ED4F2449E323A6EA3457484AE24AF7CCD1F91F5F671398A
TrID 53.6% (.DOCM) Word Microsoft Office Open XML Format document (with Macro) (52000/1/9)
24.2% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
18.0% (.ZIP) Open Packaging Conventions container (17500/1/4)
4.1% (.ZIP) ZIP compressed archive (4000/1)
Magika docx
Reporter smica83
Tags:apt doc hiremployee-com Lazarus

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 16 sections in this file using oledump:

Section IDSection sizeSection name
A1536 bytesPROJECT
A295 bytesPROJECTwm
A397 bytesUserForm1/CompObj
A4294 bytesUserForm1/VBFrame
A5255 bytesUserForm1/f
A6641856 bytesUserForm1/o
A713236 bytesVBA/Module1
A8999 bytesVBA/ThisDocument
A92471 bytesVBA/UserForm1
A104056 bytesVBA/_VBA_PROJECT
A112417 bytesVBA/__SRP_0
A12285 bytesVBA/__SRP_1
A13423 bytesVBA/__SRP_2
A14590 bytesVBA/__SRP_3
A15829 bytesVBA/dir

Intelligence

File Origin
# of uploads :
1
# of downloads :
3'104
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1LjZuMG417jNuMy4hbiPuIi4iriIuA.zip
Verdict:
No threats detected
Analysis date:
2025-06-19 08:45:53 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/98113608-23b5-472d-a98f-bd17b33874ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/octet-stream
Has a screenshot:
False
Contains macros:
False
Detection(s):
SecuriteInfo.com.GT.VB.Chartres.7.1CEE13C6.17474.708.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6853e9a9e04cd8dcf13b2484
Tags:
office macro micro
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Result
Verdict:
Malicious
File Type:
Word File with Macro
Link:
https://app.docguard.net/14213c013d79ea4bc8309f730e26d52ff23c10654197b8d2d10c82bbbcd88382/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 macros macros-on-open obfuscated
Link:
https://www.filescan.io/uploads/6853c0db3faf8fcd7d35fd79/reports/232a3b43-f8c3-4075-adf7-d111e3a028cc/overview
Verdict:
Malicious
Labled as:
GT:VB.Chartres.7
Link:
https://www.hybrid-analysis.com/sample/14213c013d79ea4bc8309f730e26d52ff23c10654197b8d2d10c82bbbcd88382
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=e29b4051-8775-4e54-9ef9-e8eebd5029d9
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1718368
Signature
Antivirus detection for dropped file
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Powershell creates an autostart link
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Suspicious Microsoft Office Child Process
System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) contains suspicious command line arguments
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1718368 Sample: 1LjZuMG417jNuMy4hbiPuIi4iri... Startdate: 19/06/2025 Architecture: WINDOWS Score: 100 46 hiremployee.com 2->46 48 s-0005.dual-s-msedge.net 2->48 50 3 other IPs or domains 2->50 54 Antivirus detection for dropped file 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 8 other signatures 2->60 9 WINWORD.EXE 512 87 2->9         started        13 rundll32.exe 2->13         started        15 WINWORD.EXE 60 82 2->15         started        signatures3 process4 file5 40 C:\ProgramData\WPSOffice\wpsoffice_aam.ocx, PE32+ 9->40 dropped 42 C:\ProgramData\USOShared\USOPrivate.dll, PE32+ 9->42 dropped 44 C:\...\IITK_Official_Lecture_Invite_TASL.docx, Microsoft 9->44 dropped 64 Document exploit detected (creates forbidden files) 9->64 17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        66 System process connects to network (likely due to code injection or exploit) 13->66 signatures6 process7 process8 23 powershell.exe 17 17->23         started        27 conhost.exe 17->27         started        29 rundll32.exe 135 19->29         started        32 conhost.exe 19->32         started        34 conhost.exe 21->34         started        dnsIp9 38 C:\ProgramData\USOShared\Micro.lnk, MS 23->38 dropped 62 Powershell creates an autostart link 23->62 52 hiremployee.com 166.88.132.68, 443, 49698, 49700 EGIHOSTINGUS United States 29->52 36 WerFault.exe 29->36         started        file10 signatures11 process12
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/14213c013d79ea4bc8309f730e26d52ff23c10654197b8d2d10c82bbbcd88382
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14213c013d79ea4bc8309f730e26d52ff23c10654197b8d2d10c82bbbcd88382/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-06-19 08:17:14 UTC
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqqtyaj5phvexsbqt5zq4jwvf7zdyedfigl3ruwrbsblxpgyqoba._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution macro
Link:
https://tria.ge/reports/250619-jndpaszzgw/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Blocklisted process makes network request
Process spawned unexpected child process
Verdict:
Malicious
Tags:
trojan TA505
YARA:
TA505_Maldoc_21Nov_2
Link:
https://app.threat.zone/submission/e8270a8b-0df2-4441-ba9f-7d5027c83917
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/14213c013d79/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/14213c013d79ea4bc8309f730e26d52ff23c10654197b8d2d10c82bbbcd88382

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:SUSP_VBS_in_ISO
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects ISO files that contain VBS functions
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:TA505_Maldoc_21Nov_2
Create hunting rule
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments