This week I got an email claiming to be a YellowPages invoice with an XLS attachment containing an Excel 4.0 macro which has similarity to [1][2]. Using Didier's oledump.py tool, I checked the spreadsheet using plugin plugin_biff with option -x which show Excel 4 macros: Next step will be to check for any embeded URL in this XLS document. I'm using plugin_biff's find option -f to see if any URL are embedded in this file: Unfortunately the embedded URL http[:]]//fikima[.]com/axel[.]exe was taken down soon after receiving this email [3]. I checked Virustotal hash database [4] and there are no record this file was submitted before the domain was taken down. As a final step, I scanned the file with ClamAV with negative results. [1] https://isc.sans.edu/forums/diary/Maldoc+Excel+40+Macros/24750/ ----------- |
Guy 523 Posts ISC Handler Apr 5th 2020 |
Thread locked Subscribe |
Apr 5th 2020 2 years ago |
File is here: https://app.any.run/tasks/ef2a6fe8-c703-4498-b656-f59a23f670ef/ is dridex loader.
|
Anonymous |
Quote |
Apr 6th 2020 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!