Resubmissions

General

  • Target

    macro-docs-2024-5-22.zip

  • Size

    866KB

  • Sample

    240525-amr1vsga51

  • MD5

    ec215cee96db0f37817fb75d6085dcbc

  • SHA1

    46fd33bb6e137d33b7ee507ce63126257020bbe2

  • SHA256

    fa693c2c4da1b0e6cda555af16e6b3abbe3333ccc1de2582bc2ba95467d026de

  • SHA512

    b71ecdd51f615fd05acdf05d86096fd5f730ac8aa974de6e640a1270fea0fb144e9b6b778cbb85e03fa2cabb43a0bcf1548e5342ea7d2cc20e806c8d0b3931c4

  • SSDEEP

    12288:Fa2YCriXCJeijA21jYjc+ZHqow5Y0M+hlNK/TBrZfKiaxAclXQfPhYmhhvPiHn8c:Fanzijh63OYjKNKvKB1lXMPhbnGF

Malware Config

Targets

    • Target

      macro-docs/Dragon Hoard Management Tips.xls

    • Size

      34KB

    • MD5

      90901002b8a58234dda277c158ba2e3a

    • SHA1

      b818652e209db9f1ab86f9c2889759a6192b8b54

    • SHA256

      0b5773386715cb058efd409581094221768e0272148ea23bfab1395fdb53ba48

    • SHA512

      5d7b4baf5464a14c9dfedfeb4f02488693f848fe2147510dcb768fff08b2b8ac884af4f7d976f862420d04d890de680a53998edf025135b7509559fc2d20ff67

    • SSDEEP

      768:/eSFsv66g3KnF439NKC54kkGfn+cL2XdA8dwMbLHYd8p6mci:GSFsv66g3KnF439NKC54kkGfn+cL2Xdx

    Score
    1/10
    • Target

      macro-docs/Dragon Training Manual.doc

    • Size

      32KB

    • MD5

      373b2e7623e14ffdb051050e7e6f62f0

    • SHA1

      839a0939cefb17095246af066462b67dc5ddfc85

    • SHA256

      18ddc8bce26f27260904c1ac9218ec0a38b9aaedb76549bef70d74d1ed18ef5a

    • SHA512

      b190dfef6edcb8a3038c41a755e43b10c27936c429b619304c0ad90dad38a52df7cd16436400f8f7f883a003af484503ea086d826bcfae443f57ed95b8fa309c

    • SSDEEP

      192:7UKeAHREZEvAqT0sK6/6rJ984woO+QHj1mzOWLTucz/gb2DuekM50jw/stUg6lfC:7U64iSJPw+QD1mz+csxekM50jostQlq

    Score
    4/10
    • Target

      macro-docs/Fairy Wing Collection Log.xls

    • Size

      29KB

    • MD5

      b67dd16b29cc3eb5745fa0023ea54c91

    • SHA1

      1fb7babe6b45d39048f360c81314202ce89d9815

    • SHA256

      768b12d1fb6cfdbe772984b363cfc8a1a8c6234dd3b2e0b6bc9d48077f8df921

    • SHA512

      afa4a1ddd70d442d2e4db73a3bb5d49a5a0b1a87147233e66553537e73efabb90552fbe9c43c9a180c799085a70b6e282604a2e4585e6b05c3afe69b886b82f9

    • SSDEEP

      768:RDwSFsv66g3KnF439NKC54kkGfn+cL2XdA8Hw3Ksm2:+SFsv66g3KnF439NKC54kkGfn+cL2Xdx

    Score
    1/10
    • Target

      macro-docs/Ghosthunting for Beginners.doc

    • Size

      34KB

    • MD5

      1196045cdcab84b5a5c64f022bc3fb68

    • SHA1

      0615cf485a668ae95c6deba7d14c8f660efff461

    • SHA256

      d0cf72c6a2c209973b38bcf5b2a92128f0667c0135df356a2952a9eecf15d6b8

    • SHA512

      c249eebb1da35d6299774d2c2096377d2485bec6bbaaf982ad3b6b9e603e3e2487e3924ce35d01d696efaabc15347ac72557406343caaf172f3dca33147786ca

    • SSDEEP

      384:pMEtRWkiSJPw+QD1aClzlfBc50j7Yet2:+Ec+kHlUqq

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Drops file in System32 directory

    • Target

      macro-docs/Ghosthunting for Beginners.xls

    • Size

      34KB

    • MD5

      d21b49e9a52d5679855bd1a3ffac94f2

    • SHA1

      bc81b89fa91dbc1ab256bd1a7e2d94b50d46f92a

    • SHA256

      281af520188669b7974c45c468e21ea2aa2081619222c669dd38b2b9903645b9

    • SHA512

      19b370e03d5985b2c9443c5e16ae8aca03cfc75771ebed0877d32107008f81359ffe543107803b6dab2ac635137869059ec067b616eb946df90c7a4b16ca7fa5

    • SSDEEP

      768:EeSFsv66g3KnF439NKC54kkGfn+cL2XdA80wUnDd06mci:XSFsv66g3KnF439NKC54kkGfn+cL2Xd/

    Score
    1/10
    • Target

      macro-docs/Ghosts in the Office - Investigation Findings.doc

    • Size

      32KB

    • MD5

      fd8bf55a7c1d5a24726a05fd70f8e12e

    • SHA1

      8f08c4935b218e34206d9e115ada25fbe23640d5

    • SHA256

      d92831f3678dac9554028f5746bf4a98531ab3d08f21169bae2d138285676865

    • SHA512

      3182e82e93409397d8268dd90167da46af5eeebf9a0ca87fcd35969c6025402b4497e989cc068bfc5a9353efe465884f45f54f13eb3eaeb397f5c90b6aa3bcad

    • SSDEEP

      384:PJIap0eiSJPw+QD1qlxkYTYry50jystRX:hM+k6CGp

    Score
    1/10
    • Target

      macro-docs/Goblin Gold Transactions.xls

    • Size

      29KB

    • MD5

      7bd34ef1335b4f1d23ffa6dc54869dd8

    • SHA1

      2b17354813bdbfa478c54d9dd913a09442fc1a9f

    • SHA256

      80a997df6d710cbbe2a9aa4f5adbd21e1999939aef912434d895edd074fe50d5

    • SHA512

      4800567e1c547d25b02eea0deac3dad6a194b23516e88f6a02bc02814a9d3c2b280d56b049c3334862c297e35e526c4a892dcc23a31bae787d0f53a25d12478b

    • SSDEEP

      768:SDwSFsv66g3KnF439NKC54kkGfn+cL2XdA80w2ysqJx:5SFsv66g3KnF439NKC54kkGfn+cL2XdP

    Score
    1/10
    • Target

      macro-docs/Haunted Mansion Occupancy Rates.xls

    • Size

      29KB

    • MD5

      0fd93bd17851e1286856b23bb07e6872

    • SHA1

      ea00877322d4fc559e65c03458f8d407a5dc54d2

    • SHA256

      1d0b4cb62be1c31bf857559e0cc44808301c79aee51b49d369d13b2fd273806c

    • SHA512

      c24f65deedf603468605f65c0602a412b5ddecca61da968b802f65c9c7565309b48957c960e3cc36602ca0704ff6624d2ed5a09a5c9f431c963285075ec49a4a

    • SSDEEP

      768:XMkSFsv66g3KnF439NKC54kkGfn+cL2XdA8GwUysOG:5SFsv66g3KnF439NKC54kkGfn+cL2Xd9

    Score
    1/10
    • Target

      macro-docs/Hobbit Gardening Journal.doc

    • Size

      34KB

    • MD5

      e59355a8900ba47ec58de881d3786693

    • SHA1

      97a8903ebb321b1349636be665efbc09c4deb849

    • SHA256

      939e3d4988b0e605622da90476538d5c8cc15ea8417b5836d3521f4e3057e9b9

    • SHA512

      ade8a399323c9b8564b954b2af2aedb29c04bd4e42d149d999ede4d03ce86d5f6e18e0ecc4006ec74a7185dbeb69255b1680858060f457b3aac416e2b7d7f8ba

    • SSDEEP

      384:RoWp6PiSJPw+QD1ghROgVzpxd4hBE50j9et:yw+k8Vj

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Target

      macro-docs/Hobbit Gardening Journal.xls

    • Size

      35KB

    • MD5

      03f55a2197b0517f784505a0066194cb

    • SHA1

      1d5eb422fe768d627177079634067c9b9ae0a90a

    • SHA256

      6a10d4188a4abb724d880b10a0d3e374dc225d77578b29e32b34f6f532eba1e0

    • SHA512

      2536653b997767beaccdff3d72ddd9fb7035188f14c79aee809c0b5155dd9e399608fee6ec38a47193ba8df6c166c53e62693bd03ad017133a893baa7c38c96d

    • SSDEEP

      768:DDwSFsv66g3KnF439NKC54kkGfn+cL2XdA8pwUzmrx6mjip:QSFsv66g3KnF439NKC54kkGfn+cL2XdJ

    Score
    1/10
    • Target

      macro-docs/Hobbit Productivity Analysis.doc

    • Size

      34KB

    • MD5

      84160003c2f2d7bbe218c0700b5e3e3f

    • SHA1

      779a5a4859c72e8a6f89010bc768c630f44f58d6

    • SHA256

      368ed1d9b0d8beab2d29591315cd6d70476a9255bc31e68f46138e71c52b5b16

    • SHA512

      ef53ab063e99affbd3ea9b0cd771d69492f1bede609e9cd9b1c11d33db15659bf7cf4781b5fbbe37966b3364d2442a2a11cb606b2bb499c0ef81133670760969

    • SSDEEP

      384:/48BIiSJPw+QD1pgYzaqBR9u50jH5ttd:gW+kWYrE

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Drops file in System32 directory

    • Target

      macro-docs/How to Tame Your Kraken.doc

    • Size

      32KB

    • MD5

      ed7a350083916aaaaed3d3044b65b508

    • SHA1

      db47ef11d20fe9cad164dbb73b4923a7ad59c1d7

    • SHA256

      929e2e2020d2bbf08bb96547bc4feee931302d0ea480e3a278388e09e27cef8f

    • SHA512

      2f502976043a1cb57f567919314ee3e1d7b867ed4c035ecbc648eb647bae2671e24e0df245de5ce80338e28f1dab20c758859761d65c360080997b88b3d3bb1c

    • SSDEEP

      384:O1ykamiSJPw+QD14tnfFdkPAh50jdst+O:Gyku+kwfS6

    Score
    1/10
    • Target

      macro-docs/Interstellar Trade Ledger.xls

    • Size

      29KB

    • MD5

      17c2735c33c1672ae98702cbdd826108

    • SHA1

      fc3ce6be15c9d698ac3c4469717aa274495b2cc3

    • SHA256

      65b5bc54bc38aa59a16dc4cfed527ce43bdfa5a0e4bac59371db06d677b198b3

    • SHA512

      07b3d08cb4511b0662905518463c623676250125691fa2c5c2bc83f23d0f2b8b0bdf071e10e65306c4ebab0fb0e85133a4e90a0502b7fabf97ab201ae6462128

    • SSDEEP

      768:1DwSFsv66g3KnF439NKC54kkGfn+cL2XdA835wTYsDp2P:CSFsv66g3KnF439NKC54kkGfn+cL2Xd1

    Score
    1/10
    • Target

      macro-docs/Invisibility Cloak Inventory.xls

    • Size

      29KB

    • MD5

      b8720e893f31385d33027f7bec730b59

    • SHA1

      7c86767435ec969faa237f60b8999292e8c0ce47

    • SHA256

      1359dde099c0a67549df780921dad08433e6f4cc17e2b8a2533bb596e4b54997

    • SHA512

      6e5c35e505a616144d63ae5f128f78603035e3024a2c18003fdf938666f88ed9afc239c528066edd45004d662d898fb6286f539aa1c60626ccbf41e7f4061b07

    • SSDEEP

      768:sDwSFsv66g3KnF439NKC54kkGfn+cL2XdA81wXxsBjJ1:LSFsv66g3KnF439NKC54kkGfn+cL2Xdx

    Score
    1/10
    • Target

      macro-docs/Loch Ness Monster Research Log.doc

    • Size

      34KB

    • MD5

      3a18c5fb28a247ffa096836ad14e8409

    • SHA1

      c476a52481ba5b7a77ec8adf01b1d28ea3fcd5cd

    • SHA256

      5194f4a358da0c1a36ee7aae9d72d9f4d810ed7bfdf28b0ddf4b36ecf862535d

    • SHA512

      93f323d89da7f40c09a56fa228c6b682f38f28032ee89cba1748acbd5fda85884302970b62d10ed6aebb943037ba3b1a7b8c4470ea10f2703773d8fce819b121

    • SSDEEP

      384:Eiy5O6e7iSJPw+QD1xvlzWJBIX50jNet:nM+kBlVJ

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Drops file in System32 directory

    • Target

      macro-docs/Loch Ness Monster Research Log.xls

    • Size

      34KB

    • MD5

      8501abd0b09ffdce7b751901baf9eee3

    • SHA1

      1b876a5fe28975a067237a96842e0c2c304fd76b

    • SHA256

      fb6df298d458bd1feb8a308c10119b3a26619397b947667d9a3a8412b63cfd24

    • SHA512

      3b3a86fa9691393beb1246de0ceb5ec4f93d44e3b527657dbea8746d88364cc0b2cf3691d40653d7c38190f67a1207db5acccf259c8c33ff059a089aa1857036

    • SSDEEP

      768:PDwSFsv66g3KnF439NKC54kkGfn+cL2XdA8GwI2fpCNQ6mci:8SFsv66g3KnF439NKC54kkGfn+cL2Xdz

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

macromacro_on_action
Score
8/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
4/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

execution
Score
10/10

behavioral8

execution
Score
10/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
10/10

behavioral18

Score
10/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

execution
Score
10/10

behavioral22

execution
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

execution
Score
10/10

behavioral30

execution
Score
10/10

behavioral31

Score
1/10

behavioral32

Score
1/10