IQ-FA004:Multiple Actors Abusing New Macro Methods

Posted on 2020-05-18 by William MacArthur

We wanted to go through and release some of the more interesting examples that we are running into regarding the era of the hidden (very hidden) documents, which we will publish in more flash reports and tweets going forward. .

It is not a surprise to us that the method we have described from our previous blog posts aimed at this behiavor ZLoader 4.0 Macrosheets Evolution Hidden Sheets, Data Connections, and XLM Macros and has gained popularity.

XLSM leading to Parasite Stealer

InQuest Score

InQuest Score

InQest Labs Embeded Logic

VirusTotal XLSM Score

VirusTotal PE Score

Date Observed Indicator Type Indicator           Notes/Reports
5/18/2020     Maldoc Hash     a76b0b87bea1a1e760cb65790f0c89748b37210a56295ca7a4b96b549a0598b0   InQuest Labs VirusTotal
5/18/2020     URL   /dl.exe
5/18/2020     URL   /gate.php
5/18/2020     IP Address   AS16276 FR OVH
5/18/2020     IP Address   AS207319 RU MSKHOST
5/18/2020     Domain
5/18/2020     Malware Payload    a5969850c72e45cffff2dcd7d6e80751f40dbc8fd4c48d653275503a7ea1e323   VirusTotal Any.Run