General

  • Target

    52211541d8cb47134dcb67c14a2c851edfeb5191d489916b2f691b4fe15b312a

  • Size

    372KB

  • MD5

    cca002334f80fe18f0ea49263f8519aa

  • SHA1

    ba6b2d4f9be0421c9b75e07c54c4b6fc88887d94

  • SHA256

    52211541d8cb47134dcb67c14a2c851edfeb5191d489916b2f691b4fe15b312a

  • SHA512

    d774f35ff4989c156a461b132ed3e7eddf68b8006fd8f3cc38586de89cb45ff2afbb16b373c9f4f6509659441b0e4e819c93798cf72b00b3720f356ca182b088

  • SSDEEP

    3072:LvuaXv2UlZoXUS8WbCA9U2xmYhp3y4/20qlGaOlko0uGQWslNXGEqR3RLO3fokwJ:A31YGV0k36+qvvApW+XG

Malware Config

Signatures

  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

Files

  • 52211541d8cb47134dcb67c14a2c851edfeb5191d489916b2f691b4fe15b312a
    .doc windows office2003

    ThisWorkbook

    1
    Attribute VB_Name = "ThisWorkbook"
    2
    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = True
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = True
    9
    10

    Sheet1

    1
    Attribute VB_Name = "Sheet1"
    2
    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = True
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = True
    9
    Private Sub Worksheet_Activate()
    10
    On Error Resume Next

    Sheet2

    1
    Attribute VB_Name = "Sheet2"
    2
    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = True
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = True
    9
    Private Sub Worksheet_Activate()
    10
    On Error Resume Next

    Sheet4

    1
    Attribute VB_Name = "Sheet4"
    2
    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = True
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = True
    9
    Private Sub Worksheet_Activate()
    10
    On Error Resume Next

    Sheet5

    1
    Attribute VB_Name = "Sheet5"
    2
    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = True
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = True
    9

    Sheet3

    1
    Attribute VB_Name = "Sheet3"
    2
    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = True
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = True
    9
    Private Sub Worksheet_Activate()
    10
    On Error Resume Next

    ToMauNHapLieu

    1
    Attribute VB_Name = "ToMauNHapLieu"
    2
    Sub xoadulieucu(control As IRibbonControl)
    3
    On Error Resume Next
    4
    XoaTrangDuLieu0.Show 1
    5
    End Sub
    6
    Sub XoaPhanNHapLieu()
    7
    On Error Resume Next
    8
    Range("C2:C17").ClearContents
    9
    End Sub
    10
    Sub luuVanBan3(control As IRibbonControl)

    DinhKem

    1
    Attribute VB_Name = "DinhKem"
    2
    3
    Const l_i_i_l_1_l_i_l_1_1_1_1 = "225 224 7843 227 7841 259 7855 7857 7859 7861 7863 226 7845 7847 7849 7851 7853 233 232 7867 7869 7865 234 7871 7873 7875 7877 7879 237 236 7881 297 7883 243 242 7887 245 7885 244 7889 7891 7893 7895 7897 417 7899 7901 7903 7905 7907 250 249 7911 361 7909 432 7913 7915 7917 7919 7921 253 7923 7927 7929 7925 273 193 193 192 192 7842 7842 195 195 7840 7840 258 258 7854 7854 7856 7856 7858 7858 7860 7860 7862 7862 194 194 7844 7844 7846 7846 7848 7848 7850 7850 7852 7852 201 201 200 200 7866 7866 7868 7868 7864 7864 202 202 7870 7870 7872 7872 7874 7874 7876 7876 7878 7878 205 204 7880 296 7882 211 211 210 210 7886 7886 213 213 7884 7884 212 212 7888 7888 7890 7890 7892 7892 7894 7894 7896 7896 416 7898 7898 7900 7900 7902 7902 7904 7904 7906 7906 218 218 217 217 7910 7910 360 360 7908 7908 431 7912 7912 7914 7914 7916 7916 7918 7918 7920 7920 221 221 7922 7922 7926 7926 7928 7928 7924 272 "
    4
    Const l_i_i_l_1_l_i_1_l_1_1_1 = "12345 12345 1234512345 123451234512345 12345 1234512345 1234512345 1122334455 1122334455 11223344551122334455 1122334455123451122334455 1122334455 11223344551122334455 1122334455112233445 "
    5
    Const l_i_i_l_1_l_i_1_1_l_1_1 = "a a a a a az az az az az az azzazzazzazzazzazze e e e e ez ez ez ez ez ez i i i i i o o o o o oz oz oz oz oz oz ozzozzozzozzozzozzu u u u u uz uz uz uz uz uz y y y y y dz a a a a a a a a a a az az az az az az az az az az az az azzazzazzazzazzazzazzazzazzazzazzazze e e e e e e e e e ez ez ez ez ez ez ez ez ez ez ez ez i i i i i o o o o o o o o o o oz oz oz oz oz oz oz oz oz oz oz oz ozzozzozzozzozzozzozzozzozzozzozzu u u u u u u u u u uz uz uz uz uz uz uz uz uz uz uz y y y y y y y y y dz"
    6
    Const l_i_i_l_1_l_i_1_1_1_l_1 = "aaaaaaaaaaaaaaaaaeeeeeeeeeeeiiiiiooooooooooooooooouuuuuuuuuuuyyyyydAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEEEEEEEEEEEEEEEEEEEEEEIIIIIOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOUUUUUUUUUUUUUUUUUUUUUYYYYYYYYYD"
    7
    Function l_i_i_l_1_l_i_1_1_1_1_l(Text As String) As String
    8
    Dim l_i_i_l_1_l_l_i_1_1_1_1, CharCode, l_i_i_1_1_l_i_1_l_l_1_1, l_i_i_i_1_1_1_1_1_l_l_l As Long
    9
    l_i_i_l_1_l_i_1_1_1_1_l = Text
    10
    l_i_i_l_1_l_l_i_1_1_1_1 = Array("aws", "awf", "awr", "awx", "awj", "aas", "aaf", "aar", "aax", "aaj", "ees", "eef", "eer", "eex", "eej", "oos", "oof", "oor", "oox", "ooj", "ows", "owf", "owr", "owx", "owj", "uws", "uwf", "uwr", "uwx", "uwj", "as", "af", "ar", "ax", "aj", "aw", "aa", "dd", "es", "ef", "er", "ex", "ej", "ee", "is", "if", "ir", "ix", "ij", "os", "of", "or", "ox", "oj", "oo", "ow", "us", "uf", "ur", "ux", "uj", "uw", "ys", "yf", "yr", "yx", "yj")

    TimVB

    1
    Attribute VB_Name = "TimVB"
    2
    Sub TimVanBan3(control As IRibbonControl)
    3
    Call TimVanBanG
    4
    End Sub
    5
    Sub TimVanBanG()
    6
    Attribute TimVanBanG.VB_ProcData.VB_Invoke_Func = " \n14"
    7
    On Error Resume Next
    8
    Application.ScreenUpdating = False
    9
    10

    GuiMail

    1
    Attribute VB_Name = "GuiMail"
    2
    Sub GuiMailVB(control As IRibbonControl)
    3
    On Error Resume Next
    4
    If ActiveSheet.CodeName = "Sheet4" Then
    5
    GoTo Thoat
    6
    End If
    7
    8
    If ActiveSheet.CodeName = "Sheet2" Then
    9
    GoTo Thoat
    10
    End If

    RibbSuaVB

    1
    Attribute VB_Name = "RibbSuaVB"
    2
    Sub UX_Visible_Sua(control As IRibbonControl, ByRef MyVisible)
    3
    On Error GoTo Thoat
    4
    If ActiveWorkbook.ActiveSheet.CodeName = "Sheet1" Or ActiveWorkbook.ActiveSheet.CodeName = "Sheet3" Then
    5
    MyVisible = True
    6
    End If
    7
    Thoat:
    8
    End Sub
    9
    Sub UX_Visible_DinhKemFile(control As IRibbonControl, ByRef MyVisible)
    10
    On Error GoTo Thoat

    Luu1y

    1
    Attribute VB_Name = "Luu1y"
    2
    Attribute VB_Base = "0{7FB37395-4BDA-4522-8434-A83332574C6E}{BDEBF4AE-C1FC-4FAA-9E54-4F3376740B2E}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = False
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = False
    9
    10
    Private Sub Label1_Click()

    Module1

    1
    Attribute VB_Name = "Module1"
    2
    Sub Macro1()
    3
    Attribute Macro1.VB_ProcData.VB_Invoke_Func = " \n14"
    4
    '
    5
    ' Macro1 Macro
    6
    '
    7
    8
    '
    9
    10

    XoaTrangDuLieu1

    1
    Attribute VB_Name = "XoaTrangDuLieu1"
    2
    Attribute VB_Base = "0{41E84528-E3B4-4B7F-9EB1-F5209538F74A}{8CCBD81F-C3AC-47BB-8075-C08E92270CF6}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = False
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = False
    9
    10

    l_i_i_1_i_1_l_1_1_l_l_1

    1
    Attribute VB_Name = "l_i_i_1_i_1_l_1_1_l_l_1"
    2
    Attribute VB_Base = "0{4A339673-22BE-4BDB-ADA5-0910BCE89492}{C9C5CF4E-9EED-4829-B452-B1C9413219E0}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = False
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = False
    9
    10

    Form

    1
    Attribute VB_Name = "Form"
    2
    Sub HienF3()
    3
    On Error Resume Next
    4
    5
    If ActiveSheet.CodeName = "Sheet1" And ActiveCell.Row > 1 And ActiveCell.Column = 7 Then
    6
    SaveSetting "QLVB20", "Startup", "TenForm", Sheets("Tempvtv1SA").Range("C1").Value
    7
    SaveSetting "QLVB20", "Startup", "VungLoc", "B2:B2000"
    8
    l_i_i_1_i_1_l_1_1_l_l_1.Show 1
    9
    End If
    10

    Kichhoat1

    1
    Attribute VB_Name = "Kichhoat1"
    2
    Attribute VB_Base = "0{8DA9557D-AB07-4FAF-8253-DE0C4E37C2F8}{BF031680-67E0-42C1-9353-80A682695A5A}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = False
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = False
    9
    Private Sub KichHoatTienICh_Click()
    10
    Call khqlvb

    Ribb

    1
    Attribute VB_Name = "Ribb"
    2
    3
    Sub LuuTieuDe()
    4
    On Error Resume Next
    5
    For i = 2 To 17
    6
    If Cells(4, i).Value <> Cells(3, i).Value And Cells(4, i).Value <> " " And Cells(4, i).Value <> "" Then
    7
    Sheet5.Cells(2, i).Value = Cells(4, i).Value
    8
    Else
    9
    Sheet5.Cells(2, i).Value = Sheet5.Cells(25, i).Value
    10
    End If

    Sheet6

    1
    Attribute VB_Name = "Sheet6"
    2
    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = True
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = True
    9
    Private Sub Worksheet_Activate()
    10
    On Error Resume Next

    XoaTrangDuLieu0

    1
    Attribute VB_Name = "XoaTrangDuLieu0"
    2
    Attribute VB_Base = "0{4D8F02D8-A199-4186-9662-C8F249BC8946}{DD963098-FCE9-496A-ACC7-1505ED5ED67B}"
    3
    Attribute VB_GlobalNameSpace = False
    4
    Attribute VB_Creatable = False
    5
    Attribute VB_PredeclaredId = True
    6
    Attribute VB_Exposed = False
    7
    Attribute VB_TemplateDerived = False
    8
    Attribute VB_Customizable = False
    9
    10

    Module2

    1
    Attribute VB_Name = "Module2"
    2
    3
    Sub Macro4()
    4
    Attribute Macro4.VB_ProcData.VB_Invoke_Func = " \n14"
    5
    '
    6
    ' Macro4 Macro
    7
    '
    8
    9
    '
    10
    Range("B5").Select

    Module3

    1
    Attribute VB_Name = "Module3"
    2
    Sub Macro3()
    3
    Attribute Macro3.VB_ProcData.VB_Invoke_Func = " \n14"
    4
    5
    ActiveWorkbook.Save
    6
    End Sub
    7

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.